D-Link DFL-500 User's Manual
Contents
1. 49 See Adding an encrypt policy Configuring manual key IPSec VPN A manual key VPN configuration consists of a manual key VPN tunnel the source and destination addresses for both ends of the tunnel and an encrypt policy to control access to the VPN tunnel To create a manual key VPN configuration e Add a manual key VPN tunnel See Adding a manual key VPN tunnel e Add an encrypt policy that includes the tunnel source address and destination address for both ends of the tunnel See Adding an encrypt policy Configuring dialup VPN Use a dialup VPN configuration to allow remote clients or VPN gateways with dynamic IP addresses to connect to a DFL 500 VPN gateway Clients or gateways with dynamic IP addresses can be home or travelling users who dial into the Internet and are dynamically assigned an IP address by their ISP using PPPoE DHCP or a similar protocol A dialup VPN configuration consists of a remote gateway and one or more VPN tunnels for this remote gateway For each VPN tunnel you must add an encrypt policy to control access to the VPN tunnel Dialup VPN has several configurations for user authentication For information about dialup VPN authentication see About dialup VPN authentication To create a dialup VPN configuration e Add a remote gateway and select Dialup User See Adding a remote gateway When you configure the Remote Gateway you can require users to authenticate before accessing the remote gatewa2. Changing web based manager options You can change the web based manager idle time out and firewall user authentication time out You can also change the language and character set used by the web based manager e Goto System gt Config gt Options e Set the web based manager idle time out Set the idle Timeout to control the amount of inactive time that the web based manager waits before requiring the administrator to log in again The default idle time out is 5 minutes The maximum idle time out is 480 minutes 8 hours e Set the firewall user authentication time out For more information see Users and authentication The default Auth Timeout is 15 minutes The maximum Auth Timeout is 480 minutes 8 hours e Choose the character set and language that the web based manager uses You can choose from English Simplified Chinese Japanese Korean or Traditional Chinese When the web based manager language is set to use Simplified Chinese Japanese Korean or Traditional Chinese you can change to English by selecting the English button on the upper right of the web based manager e Select Apply The options that you have selected take effect Adding and editing administrator accounts When the DFL 500 NPG is initially installed it is configured with a single administrator account with the user name admin From this administrator account you can add and edit administrator accounts You can also control the access level of each of
3. Source can add this address to a policy you must add it to the source interface To add an address see Addresses ae Select an address or address group that matches the destination address of the packet Before Destination you can add this address to a policy you must add it to the source interface To add an address see Addresses A schedule that controls when this policy is available to be matched with connections See Schedules A service that matches the service port number of the packet You can select from a wide range of predefined services or add custom services and service groups See Services Schedule Service DFL 500 User Manual 27 Action Log Traffic Authentication Web filter Select how the firewall should respond when the policy matches a connection attempt You can configure the policy to direct the firewall to ACCEPT the connection or DENY the connection If you select ACCEPT you can also configure Authentication for the policy Select Log Traffic to write messages to the traffic log whenever the policy processes a connection Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection Select the user group to select the users that can authenticate with this policy To add and configure user groups see Users and authentication You must add user groups before you can select authentication You can select Authentication
4. Transparent mode settings Administrator Password te S I Netmask Management IP Default Gateway The management IP address and netmask must be valid for the network from which you will manage the DFL 500 NPG Add a default gateway if the DFL 500 NPG must connect to a router to reach the management computer Primary pns server oe DNS Settings Secondary DNS Server Using the setup wizard From the web based manager you can use the setup wizard to create the initial configuration of your DFL 500 NPG To connect to the web based manager see Connecting to the web based manager Changing to Transparent mode The first time that you connect to the DFL 500 NPG it is configured to run in NAT Route mode To switch to Transparent mode using the web based manager e Goto System gt Status e Select Change to Transparent Mode e Select Transparent in the Operation Mode list e Select OK The DFL 500 NPG changes to Transparent mode To reconnect to the web based manager change the IP address of your management computer to 10 10 10 2 Connect to the DFL 500 NPG internal interface and browse to https followed by the transparent mode management IP address The default transparent mode Management IP address is 10 10 10 1 DFL 500 User Manual 19 Starting the setup wizard e Select Easy Setup Wizard the button in the upper right corner of the web based manager e Use the information that you
5. You can now add the virtual IP to Ext gt Int firewall policies Using port forwarding virtual IPs Go to Firewall gt Virtual IP Select New to add a virtual IP Enter a Name for the virtual IP The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Change Type to Port Forwarding In the External IP Address field enter the external IP address to be mapped to an address in the more secure zone You can set the External IP Address to the address of external interface or to any other address For example if the virtual IP provides access from the Internet to a server on your internal network the External IP Address must be a static IP address obtained from your ISP for this server This address must be a unique address that is not used by another host However this address must be routed to the firewall external interface DFL 500 User Manual 37 Adding a Port Forwarding virtual IP Virtual IP Add Mevs Virtual IP Mapping Name Web_Server Typa C Static NAT Port Forwarding External IP Address 192 160 100 99 External Service Part Map to IP 192 168 11 85 Map to Port oo o Protocol E Tce C op e Enter the External Service Port number for which to configure port forwarding The external service port number must match the destination port of the packets to be forwarded For example if the
6. and _ The lt gt amp characters are not allowed Add the contact information for the person responsible for this DFL 500 NPG The contact information can be up to 31 characters long and can contain spaces numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ The lt gt amp characters are not allowed Also called read community get community is a password to identify SNMP get requests sent to the DFL 500 NPG When an SNMP manager sends a get request to the DFL 500 NPG it must include the correct get community string The default get community string is public Change the default get community string to keep intruders from using get requests to retrieve information about your network configuration The get community string must be used in your SNMP manager to enable it to access DFL 500 SNMP information The get community string can be up to 31 characters long and can contain spaces numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ The lt gt amp characters are not allowed The trap community string functions like a password that is sent with SNMP traps The default trap community string is public Change the trap community string to the one accepted by your trap receivers The trap community string can be up to 31 characters long and can contain spaces numbers 0 9 uppercase and lowercase letters A Z a z and the
7. manual for the product and normal maintenance Damage that occurs in shipment due to act of God failures due to power surge and cosmetic damage and Any hardware software firmware or other products or services provided by anyone other than D Link Disclaimer of Other Warranties EXCEPT FOR THE 1 YEAR LIMITED WARRANTY SPECIFIED HEREIN THE PRODUCT IS PROVIDED AS IS WITHOUT ANY WARRANTY OF ANY KIND INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NON INFRINGEMENT IF ANY IMPLIED WARRANTY CANNOT BE DISCLAIMED IN ANY TERRITORY WHERE A PRODUCT IS SOLD THE DURATION OF SUCH IMPLIED WARRANTY SHALL BE LIMITED TO NINETY 90 DAYS EXCEPT AS EXPRESSLY COVERED UNDER THE LIMITED WARRANTY PROVIDED HEREIN THE ENTIRE RISK AS TO THE QUALITY SELECTION AND PERFORMANCE OF THE PRODUCT IS WITH THE PURCHASER OF THE PRODUCT Limitation of Liability TO THE MAXIMUM EXTENT PERMITTED BY LAW D LINK IS NOT LIABLE UNDER ANY CONTRACT NEGLIGENCE STRICT LIABILITY OR OTHER LEGAL OR EQUITABLE THEORY FOR ANY LOSS OF USE OF THE PRODUCT INCONVENIENCE OR DAMAGES OF ANY CHARACTER WHETHER DIRECT SPECIAL INCIDENTAL OR CONSEQUENTIAL INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF GOODWILL WORK STOPPAGE COMPUTER FAILURE OR MALFUNCTION LOSS OF INFORMATION OR DATA CONTAINED IN STORED ON OR INTEGRATED WITH ANY PRODUCT RETURNED TO D LINK FOR WARRANTY SERVICE RESULTING FROM THE USE OF THE PRODUCT RELATING TO WARRANTY
8. replay detection testing tunnel name Java applets removing from web pages K keep alive IPSec AutolKE key VPN tunnel keepalive frequency IPSec VPN remote gateway keylife IPSec AutolKE key VPN tunnel IPSec VPN remote gateway L LOTP adding firewall policy configuring configuring gateway definition enabling ending IP network configuration starting IP DFL 500 User Manual 108 user groups L2TP gateway configuring language web based manager lease duration DHCP Local ID IPSec VPN remote gateway local SPI IPSec VPN manual key log traffic policy option loggin log all events log all external traffic to firewall log all internal traffic to firewall log to remote host log to WebTrends recording logs on a remote computer selecting what to log settings MAC address main mode IPSec VPN remote gateway management access controlling management interface Transparent mode management IP address Transparent mode manual key adding VPN tunnel IPSec VPN IPSec VPN encryption algorithm IPSec VPN encryption key IPSec VPN remote gateway manual key VPN tunnel adding authentication key matching policy memory usage system status mode IPSec VPN remote gateway monitor system status MTU MTU size changing improving network performance N NAPT Network Address Port Translation NAT mode introduction DFL 500 User Manual 109 IP addresses policy policy adding NAT travers
9. that maps the external IP address of the web server to the actual address of the web server on your internal network To allow connections from the Internet to the web server you must then add an Ext gt Int firewall policy and set Destination to the virtual IP You can create two types of virtual IPs Used in Ext gt Int policies to translate an address on the Internet to a hidden address on the internal Static NAT network Static NAT translates the source address of outbound packets to the address to the address on the Internet Used in Ext gt Int policies to translate an address and a port number on a less secure network to a hidden address and optionally a different port number on a more secure network Using port Port forwarding you can also route packets with a specific port number and a destination address that Forwarding matches the IP address of the interface that receives the packets This technique is called port forwarding or port address translation PAT You can also use port forwarding to change the destination port of the forwarded packets ee If you use the setup wizard to configure internal server settings the firewall adds port forwarding virtual IPs and Ext gt Int policies for each server that you configure Ee Virtual IPs are not required in Transparent mode This section describes Adding static NAT virtual IPs Using port forwarding virtual IPs Adding policies with virtual IPs Adding
10. 500 NPG to automatically keep its time correct by synchronizing with a Network Time Protocol NTP server For more information on NTP and to find the IP address of an NTP server that you can use see http Awww ntp org To set the date and time e Goto System gt Config gt Time e Select Refresh to display the current DFL 500 NPG date and time e Select your Time Zone from the list e f required select Daylight Saving Time e Optionally select Set Time and set the DFL 500 NPG date and time to the correct date and time Example date and time setting rove EE EE Syebhers Time Time Zone E Sel Vine Tha Jul 3 11 34 10 2005 OMT 8000 P acie Tare USEC anada r C Daylight Saving Time Hour 11 Hirita i Second fis Month ful oa 3 Year 2003 Syechronize vith NTE Serv r Server i Sin Interrail imis e To configure the DFL 500 NPG to use NTP select Synchronize with NTP Server By default the DFL 500 NPG is configured to connect to an NTP server at IP address 192 5 5 250 which is the IP address of an NTP server maintained by the Internet Software Consortium at Palo Alto CA USA e Optionally enter the IP address of a different NTP server DFL 500 User Manual 97 e Specify how often the DFL 500 NPG should synchronize its time with the NTP server A typical Syn Interval would be 1440 minutes for the DFL 500 NPG to synchronize its time once a day e Select Apply
11. Console connector and to the available communications port on your computer Make sure that the DFL 500 NPG is powered on Start HyperTerminal enter a name for the connection and select OK Configure HyperTerminal to connect directly to the communications port on the computer to which you have connected the null modem cable and select OK Select the following port settings and select OK Bits per second 9600 DFL 500 User Manual 13 Data bits 8 Parity None Stop bits 1 Flow control None e Press Enter to connect to the DFL 500 CLI The following prompt appears DFL 500 login e Type admin and press Enter The following prompt appears Type for a list of commands For information on how to use the CLI see the DFL 500 CLI Reference Guide Next steps Now that your DFL 500 NPG is up and running you can proceed to configure it for operation e f you are going to run your DFL 500 NPG in NAT Route mode go to NAT Route mode installation e If you are going to run your DFL 500 NPG in Transparent mode go to Transparent mode installation DFL 500 User Manual 14 NAT Route mode installation This chapter describes how to install your DFL 500 NPG in NAT Route mode If you want to install the DFL 500 NPG in Transparent mode see Transparent mode installation This chapter includes e Preparing to configure NAT Route mode e Using the setup wizard e Using the command line interface e Connecting to your networks e Configu
12. IPSec Internet Protocol Security A set of protocols that support secure exchange of packets at the IP layer IPSec is most often used to support VPNs LAN Local Area Network A computer network that spans a relatively small area Most LANs connect workstations and personal computers Each computer on a LAN is able to access data and devices anywhere on the LAN This means that many users can share data as well as physical resources such as printers MAC address Media Access Control address A hardware address that uniquely identifies each node of a network MIB Management Information Base A database of objects that can be monitored by an SNMP network manager Modem A device that converts digital signals into analog signals and back again for transmission over telephone lines MTU Maximum Transmission Unit The largest physical packet size measured in bytes that a network can transmit Any packets larger than the MTU are divided into smaller packets before being sent Ideally you want the MTU your network produces to be the same as the smallest MTU of all the networks between your machine and a message s final destination If your messages are larger than one of the intervening MTUs they get broken up fragmented which slows down transmission speeds DFL 500 User Manual 101 Netmask Also called subnet mask A set of rules for omitting parts of a complete IP address to reach a target destination without using a broadcast messa
13. If you select NAT you can also select Dynamic IP Pool and Fixed Port Select Dynamic IP Pool to translate the source address to an address randomly selected from an Dynamic IP IP pool added to the destination interface of the policy To add IP pools see IP pools Pool You cannot select Dynamic IP Pool for Int gt Ext policies if the external interface is configured using DHCP or PPPoE Select Fixed Port to prevent NAT from translating the source port Some applications do not function correctly if the source port is changed If you select Fixed Port you must also select Fixed Port Dynamic IP Pool and add a dynamic IP pool address range to the destination interface of the policy If you do not select Dynamic IP Pool a policy with Fixed Port selected can only allow one connection at a time for this port or service VPN Tunnel ae a VPN tunnel for an ENCRYPT policy You can select an AutolKE key or Manual Key Allow Select Allow inbound so that users behind the remote VPN gateway can connect to the source inbound address Allow Select Allow outbound so that users can connect to the destination address behind the remote outbound VPN gateway Inbound Select Inbound NAT to translate the source address of incoming packets to the DFL 500 NPG NAT internal IP address Outbound Select Inbound NAT to translate the source address of outgoing packets to the DFL 500 NPG NAT external IP address Log Traffic Select Log Traffic to write messages to the traf
14. MS HE F Enable replay detection Enable perfect forward secracy PFS DHGoup if 20 SF Eevlife Seconds e00 Seconda 4000000 eketa Autokey Renp Alive 7 Enable Concentrator Hone mm ancal About the P2 proposal During tunnel negotiation the VPN gateways negotiate to select a common algorithm for data communication When you select algorithms for the P2 proposal you are selecting the algorithms that the DFL 500 NPG proposes during phase 2 negotiation For phase 2 to be completed successfully each VPN gateway must have at least one encryption and one authentication algorithm in common e Select DES to propose to encrypt packets using DES encryption e Select 3DES to propose to encrypt packets using triple DES encryption e Select MD5 to propose to use MD5 authentication e Select SHA1 to propose to use SHA1 authentication e Select NULL to propose that the VPN packets not be encrypted or that a hash is not made for authentication About replay detection IPSec tunnels can be vulnerable to replay attacks A replay attack occurs when an unauthorized party intercepts a series of IPSec packets and replays them back into the tunnel An attacker can use this technique to cause a denial of service DoS attack by flooding the tunnel with packets An attacker could also change and then replay intercepted packets to attempt to gain entry to a trusted network Enable replay detection to check the sequence number of e
15. Manual 66 PPTP VPN between a Windows client and the DFL 500 NPG PPTP Gateway PETER 1 1 1 1 intarnet PPTP i o m 5 Windows Client Configuring the DFL 500 NPG as a PPTP gateway e Create a user group for your PPTP users See Users and authentication e Goto VPN gt PPTP gt PPTP Range e Select Enable PPTP e Enter the Starting IP and the Ending IP for the PPTP address range e Select the User Group that you added in step Create a user group for your PPTP users e Select Apply to enable PPTP through the DFL 500 NPG DFL 500 User Manual 67 Example PPTP Range configuration PPTP Range E Enable PPTP Starting IP 192 168 1 100 Ending IP 192 168 1 110 User Group PPTP_users 7 Co Disable PPTP When using a RADIUS server for user authentication PPTP and L2TP encryption is not supported and you should not select Require data encryption when configuring Windows clients for PPTP or L2TP e Add the addresses from the PPTP address range to the external interface address list The addresses can be grouped into an external address group e Add the addresses to which PPTP users can connect to the internal interface The addresses can be grouped into an address group e Add an Ext gt Int policy to allow PPTP clients to connect through the DFL 500 NPG Configure the policy as follows Source The address group that matches the PPTP address range Destination The address to which PPTP users can conn
16. SERVICE OR ARISING OUT OF ANY BREACH OF THIS LIMITED WARRANTY EVEN IF D LINK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES THE SOLE REMEDY FOR A BREACH OF THE FOREGOING LIMITED WARRANTY IS REPAIR REPLACEMENT OR REFUND OF THE DEFECTIVE OR NON CONFORMING PRODUCT DFL 500 User Manual 120 GOVERNING LAW This 1 Year Warranty shall be governed by the laws of the state of California Some states do not allow exclusion or limitation of incidental or consequential damages or limitations on how long an implied warranty lasts so the foregoing limitations and exclusions may not apply This limited warranty provides specific legal rights and the product owner may also have other rights which vary from state to state Trademarks Copyright 2001 D Link Corporation Contents subject to change without prior notice D Link is a registered trademark of D Link Corporation D Link Systems Inc All other trademarks belong to their respective proprietors Copyright Statement No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation transformation or adaptation without permission from D Link Corporation D Link Systems Inc as stipulated by the United States Copyright Act of 1976 FCC Warning This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protecti
17. Schedule al avs Service af Action ENCRYPT VEN Tunnel utolkE_tumnel_i F allow inbound M inbound NAT F Allow outbound l Qutbound war F Traffic Shaping splinting 0 kbye Manet D wyoesiec Trafic Priority High l tog Traffic F Web titer show settings Viewing dialup VPN connection status You can use the dialup monitor to view the status of dialup VPNs The dialup monitor lists the remote gateways and the active VPN tunnels for each gateway The monitor also lists the tunnel lifetime timeout proxy ID source and proxy ID destination for each tunnel To view dialup connection status e Goto VPN gt IPSec gt Dialup The Lifetime column displays how long the connection has been up The Timeout column displays the time before the next key exchange The time is calculated by subtracting the time elapsed since the last key exchange from the keylife The Proxy ID Source column displays the actual IP address or subnet address of the remote peer The Proxy ID Destination column displays the actual IP address or subnet address of the local peer Testing a VPN To confirm that a VPN between two networks has been configured correctly use the ping command from one internal network to connect to a computer on the other internal network The IPSec VPN tunnel starts automatically when the first data packet destined for the VPN is intercepted by the DFL 500 NPG DFL 500 User Manual 64 To confirm that a VPN between a n
18. System Settings e Type a name and location for the file The system settings file is backed up to the management computer e Select Return to go back to the Status page Restoring system settings This procedure does not restore the web content and URL filtering lists To restore these lists see Backing up and restoring the banned word list Uploading a URL block list and Uploading an Exempt URL list You can restore system settings by uploading a previously downloaded system settings text file e Goto System gt Status e Select System Settings Restore e Enter the path and filename of the system settings file or select Browse and locate the file e Select OK to restore the system settings file to the DFL 500 NPG The DFL 500 NPG uploads the file and restarts loading the new system settings e Reconnect to the web based manager and review your configuration to confirm that the uploaded system settings have taken effect Restoring system settings to factory defaults Use the following procedure to restore system settings to the values set at the factory This procedure does not change the DFL 500 NPG firmware version DFL 500 User Manual 84 This procedure deletes the changes that you have made to the DFL 500 NPG configuration and reverts the system to its original configuration including resetting interface addresses e Goto System gt Status e Select Restore Factory Defaults e Select OK to confirm The DFL 500
19. add services to the service group select a service from the Available Services list and select the right arrow to copy it to the Members list e To remove services from the service group select a service from the Members list and select the left arrow to remove it from the group e Select OK to add the service group Schedules Use scheduling to control when policies are active or inactive You can create one time schedules and recurring schedules You can use one time schedules to create policies that are effective once for the period of time specified in the schedule Recurring schedules repeat weekly You can use recurring schedules to create policies that are effective only at specified times of the day or on specified days of the week This section describes e Creating one time schedules e Creating recurring schedules e Adding a schedule to a policy Creating one time schedules You can create a one time schedule that activates or deactivates a policy for a specified period of time For example your firewall might be configured with the default Internal to External policy that allows access to all services on the Internet at all times You can add a one time schedule to block access to the Internet during a holiday period e Goto Firewall gt Schedule gt One time e Select New e Enter a Name for the schedule The name can contain numbers 0 9 uppercase and lower case letters A Z a z and the special characters and
20. dssqa tsc dlinktw com tw URL www dlinktw com tw D LINK EUROPE 4 Floor Merit House Edgware Road Colindale London NW9 5AB U K TEL 44 20 8731 5555 FAX 44 20 8731 5511 E MAIL info dlink co uk URL www dlink co uk D LINK U S A 53 Discovery Drive Irvine CA 92618 USA TEL 1 949 788 0805 FAX 1 949 753 7033 INFO LINE 1 800 326 1688 BBS 1 949 455 1779 1 949 455 9616 E MAIL tech dlink com support dlink com URL www dlink com DFL 500 User Manual 116 Registration Card Print type or use block letters Your name Mr Ms Organization Dept Your title at organization Telephone Fax Organization s full address Country Date of purchase Month Day Year Product Model Product Serial No Product installed in type of Product installed in computer e g Compaq 486 computer serial No Applies to adapters only Product was purchased from Reseller s name Telephone Fax Reseller s full address Answers to the following questions help us to support your product 1 Where and how will the product primarily be used OHome OOffice OTravel OCompany Business DHome Business OPersonal Use 2 How many employees work at installation site O11 employee 02 9 0110 49 0150 99 0100 499 0500 999 111000 or more 3 What network protocol s does your organization use OXNS IPX OTCP IP ODECnet Others 4 What network operating system s does
21. e Select Enable IP MAC binding going to the firewall e Go to Firewall gt IP MAC Binding gt Static IP MAC e Select New to add IP MAC binding pairs to the IP MAC binding list All packets normally allowed to connect to the firewall are compared with the entries in the IP MAC binding table If a match is found in the IP MAC binding table e f IP MAC binding is set to Allow traffic then IP MAC binding allows the packet to connect to the firewall e f IP MAC binding is set to Block traffic then IP MAC binding stops the packet from connecting to the firewall Adding IP MAC addresses e Go to Firewall gt IP MAC Binding gt Static IP MAC e Select New to add an IP address MAC address pair e Enter the IP address and the MAC address You can bind multiple IP addresses to the same MAC address You cannot bind multiple MAC addresses to the same IP address However you can set the IP address to 0 0 0 0 for multiple MAC addresses This means that all packets with these MAC addresses are matched with the IP MAC binding list Similarly you can set the MAC address to 00 00 00 00 00 00 for multiple IP addresses This means that all packets with these IP addresses are matched with the IP MAC binding list e Enter a Name for the new IP MAC address pair The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed e Select Enab
22. for any service Users can authenticate with the firewall using HTTP Telnet or FTP For users to be able to authenticate you must add an HTTP Telnet or FTP policy that is configured for authentication When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password If you want users to authenticate to use other services for example POP3 or IMAP you can create a service group that includes the services for which you want to require authentication as well as HTTP Telnet and FTP Then users could authenticate with the policy using HTTP Telnet or FTP before using the other service In most cases you should make sure that users can use DNS through the firewall without authentication If DNS is not available users cannot connect to a web FTP or Telnet server using a domain name Enable web filter content filtering for traffic controlled by this policy You can select Web filter if Service is set to ANY or HTTP or to a service group that includes the HTTP service For web filter content filtering to take effect you must configure web content filtering See Web content filtering You can select show settings to display the current web filter content filtering settings for the DFL 500 NPG e Select OK to add the policy The policy is added to the selected policy list e Arrange policies in the policy list so that they have the results that you expect Arranging policies in a
23. gathered in Transparent mode settings to fill in the wizard fields Select the Next button to step through the wizard pages e Confirm your configuration settings and then select Finish and Close Reconnecting to the web based manager If you changed the IP address of the management interface while you were using the setup wizard you must reconnect to the web based manager using a new IP address Browse to https followed by the new IP address of the management interface Otherwise you can reconnect to the web based manager by browsing to https 10 10 10 1 If you connect to the management interface through a router make sure that you have added a default gateway for that router to the management IP default gateway field Using the command line interface As an alternative to the setup wizard you can configure the DFL 500 NPG using the command line interface CLI To connect to the CLI see Connecting to the command line interface CLI Use the information that you gathered in Transparent mode settings to complete the following procedures Changing to Transparent mode e Log into the CLI if you are not already logged in e Switch to Transparent mode Enter set system opmode transparent After a few seconds the following prompt appears DFL 500 login e Type admin and press Enter The following prompt appears Type for a list of commands e Confirm that the DFL 500 NPG has switched to Transparent mode Enter get system status
24. if you are not already logged in e Set the IP address and netmask of the internal interface to the internal IP address and netmask that you recorded in NAT Route mode settings Enter set system interface internal static ip lt IP address gt lt netmask gt Example set system interface internal static ip 192 168 1 1 255 255 255 0 DFL 500 User Manual 16 e Set the IP address and netmask of the external interface to the external IP address and netmask that you recorded in NAT Route mode settings To set the manual IP address and netmask enter set system interface external static ip lt IP address gt lt netmask gt Example set system interface external static ip 204 23 1 5 255 255 255 0 To set the external interface to use DHCP enter set system interface external dhcp connection enable To set the external interface to use PPPoE enter set system interface external pppoe username lt user name gt password lt password gt connection enable Example set system interface external pppoe username user domain com password mypass connection enable e Confirm that the addresses are correct Enter get system interface The CLI lists the IP address netmask and other settings for each of the DFL 500 NPG interfaces as well as the mode of the external interface manual DHCP or PPPoE e Set the default route to the Default Gateway IP Address that you recorded in NAT Route mode settings not required for DHCP and PPPoE Enter set system route
25. in the original or other suitable shipping package to ensure that it will not be damaged in transit and the RMA number must be prominently marked on the outside of the package e The customer is responsible for all shipping charges to and from D Link No CODs allowed Products sent COD will become the property of D Link Systems Inc Products should be fully insured by the customer and shipped to D Link Systems Inc 53 Discovery Drive Irvine CA 92618 D Link may reject or return any product that is not packaged and shipped in strict compliance with the foregoing requirements or for which an RMA number is not visible from the outside of the package The product owner agrees to pay D Link s reasonable handling and return shipping charges for any product that is not packaged and shipped in accordance with the foregoing requirements or that is determined by D Link not to be defective or non conforming What Is Not Covered This limited warranty provided by D Link does not cover Products that have been subjected to abuse accident alteration modification tampering negligence misuse faulty installation lack of reasonable care repair or service in any way that is not contemplated in the documentation for the product or if the model or serial number has been altered tampered with defaced or removed Initial installation installation and removal of the product for repair and shipping costs Operational adjustments covered in the operating
26. number lt number gt gwl lt IP address gt Example set system route number 1 gwl 204 23 1 2 You have now completed the initial configuration of your DFL 500 NPG and you can proceed to connect the DFL 500 NPG to your network using the information in Connecting to your networks Connecting to your networks When you have completed the initial configuration you can connect your DFL 500 NPG between your internal network and the Internet There are two 10 100 BaseTX connectors on the DFL 500 NPG e Internal for connecting to your internal network e External for connecting to the Internet To connect the DFL 500 NPG e Connect the Internal interface to the hub or switch connected to your internal network e Connect the External interface to the Internet Connect to the public switch or router provided by your Internet Service Provider If you are a DSL or cable subscriber connect the External interface to the internal or LAN connection of your DSL or cable modem DFL 500 User Manual 17 DFL 500 NPG network connections Internal Network a s fe Internal DFL 500 External i Public Switch oa eres EE ert Foot bey Internet A mier e Boa Configuring your internal network If you are running the DFL 500 NPG in NAT Route mode your internal network must be configured to route all internet traffic to the address of the internal interface of the DFL 500 NPG This means changing the default gateway addre
27. packets greater than MTU e Set the MTU size Set the maximum packet size in the range of 68 to 1500 bytes The default MTU size is 1500 Experiment by lowering the MTU to find an MTU size for best network performance DFL 500 User Manual 91 Configuring the management interface Transparent mode In Transparent mode you can configure the management interface for management access to the DFL 500 NPG e Goto System gt Network gt Management e Change the Management IP and Mask as required These must be valid addresses for the network from which you will manage the DFL 500 NPG e Select the management Access methods for each interface By default in Transparent mode you manage the DFL 500 NPG by connecting to the internal interface However you can configure the management interface so that you can manage the DFL 500 NPG by connecting to any interface e Select Apply to save your changes Setting DNS server addresses Several DFL 500 NPG functions including sending email alerts and URL blocking use DNS e Goto System gt Network gt DNS e Change the primary and secondary DNS server addresses as required e Select Apply to save your changes Configuring routing You can configure routing to add static routes from the DFL 500 NPG to local routers You can also use routing to add multiple routing gateways This section describes e Adding routing gateways e Adding a default route e Adding routes to the routing tabl
28. server uploads the firmware image file to the DFL 500 and messages similar to the following appear Total 7682959 Bytes Data Is Downloaded Testing The Boot Image Now Total 32768k Bytes Are Unzipped Do You Want To Save The Image Y n e Type Y Programming The Boot Device Now Read Boot Image 548405 Bytes Initializing Firewall DFL 500 Login The installation might take a few minutes to complete You can then restore your previous configuration Begin by changing the interface addresses if required You can do this from the web based manager or from the CLI using the command set system interface DFL 500 User Manual 83 When the interface addresses are changed you can access the DFL 500 from the web based manager and restore your configuration files and content and URL filtering lists Displaying the DFL 500 NPG serial number e Goto System gt Status The serial number is displayed in the Status window The serial number is specific to your DFL 500 NPG and does not change with firmware upgrades Backing up system settings This procedure does not back up the web content and URL filtering lists To back up these lists see Backing Se up and restoring the banned word list Downloading the URL block list and Downloading the Exempt URL list You can back up system settings by downloading them to a text file on the management computer e Goto System gt Status e Select System Settings Backup e Select Backup
29. setting system location SNMP system name SNMP system settings backing up restoring restoring to factory defaults system status CPU usage system status monitor T technical support testing email alerts VPN third party products interoperability time setting timeout firewall authentication IPSec VPN web based manager to IP system status to port system status Transparent mode adding firewall policies adding routes changing to configuring the default gateway loggin management interface management IP address trap community SNMP trusted host administrator account tunnel name IPSec AutolKE key VPN tunnel tunnel status IPSec VPN U up time system status upgrading firmware DFL 500 User Manual 113 URL block list clearing downloading uploading URL block message changing URL blocking configuring URLs blocking access exempting from blocking user group IPSec VPN Remote Gateway user groups deleting user name and password adding user names adding user defined services Vv viewing dialup connection status VPN tunnel status virtual IP adding mapping port forwarding static NAT VPN adding concentrator adding hub and spoke AutolKE key compatibility with IPSec VPN products concentrator configuring L2TP configuring L2TP gateway configuring PPTP configuring PPTP gateway definition dialup VPN hub and spoke IPSec IPSec VPN features L2TP L2TP configuration manual key PPT
30. static NAT virtual IPs Go to Firewall gt Virtual IP Select New to add a virtual IP Enter a Name for the virtual IP The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Make sure Type is set to Static NAT In the External IP Address field enter the external IP address to be mapped to an address on the internal network For example if the virtual IP provides access from the Internet to a web server on your internal network the external IP address must be a static IP address obtained from your ISP for your web server This address must be a unique address that is not used by another host and cannot be the same as the IP address of the firewall external interface However this address must be routed to the firewall external interface DFL 500 User Manual 36 Adding a static NAT virtual IP Virtual IP Add New Virtual IP Mapping Name Web Server Type Static NAT Port Forwarding External IP Address 66 33 4289 OOOO Map to IP 192 168 185 In the Map to IP field enter the real IP address on the more secure network for example the IP address of a web server on your internal network The firewall translates the source address of outbound packets from the host with the Map to IP address to the virtual IP External IP Address instead of the firewall external address Select OK to save the virtual IP
31. these administrator accounts and optionally control the IP address from which the administrator can connect to the DFL 500 NPG There are three administration account access levels Has all permissions Can view add edit and delete administrator accounts Can view and change the configuration The admin user is the only user who can go to System gt Status and manually update the DFL 500_NPG firmware download or upload system settings restore the DFL 500 NPG to factory defaults restart the DFL 500 NPG and shut down the DFL 500 NPG There is only one admin level user admin Can view and change the configuration Can view but cannot add edit or delete administrator accounts Read amp Ba i Write Can change own administrator account password Cannot make changes to system settings from the System gt Status page on Can view the configuration Adding new administrator accounts From the admin account use the following procedure to add new administrator accounts to the DFL 500 NPG and control their permission levels e Goto System gt Config gt Admin DFL 500 User Manual 98 e Select New to add an administrator account e Type a login name for the administrator account The login name must be at least 6 characters long and can contain numbers 0 9 and upper case and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed e Type and confirm a password
32. to the concentrator These policies allow inbound and outbound VPN connections between the concentrator and the member VPN tunnels The encrypt policy for each member VPN tunnel must include the member VPN tunnel name To configure the VPN concentrator e Add the required number of remote gateways Each AutolKE key tunnel requires a remote gateway See Adding a remote gateway e Add the required number of AutolIKE key VPN tunnels and include the remote gateways added in step 1 See Adding an AutolIKE key VPN tunnel e Add the required number of manual key VPN tunnels See Adding a manual key VPN tunnel e Add a VPN concentrator that includes the tunnels added in steps 2 and 3 See Adding a VPN concentrator e Add one encrypt policy for each member VPN Use the following configuration for each policy Source VPN concentrator address Destination Member VPN address Action ENCRYPT VPN Tunnel The member VPN tunnel name Allow inbound Select allow inbound Allow outbound Select allow outbound Inbound NAT Select inbound NAT if required Outbound NAT Select outbound NAT if required See Adding an encrypt policy Configuring the member VPNs For each member VPN you must create a VPN tunnel to the VPN concentrator network This tunnel can be an AutolKE key or manual key tunnel You must create an encrypt policy that allows inbound and outbound VPN connections between the member VPN and the concentrator You must create additional
33. www goodsite com exempts all requested subpages for example www goodsite com badpage from all content and URL filtering rules Exempting a top level URL does not exempt pages such as mail goodsite com from all content and URL filtering rules unless goodsite com without the www is added to the Exempt URL list Select Enable to exempt the URL Select OK to add the URL to the Exempt URL list You can enter multiple URLs and then select Check All to activate all entries in the Exempt URL list Each page of the Exempt URL list displays 100 URLs Use Page Down and Page Up E to navigate through the Exempt URL list You can add URLs to the Exempt List by entering them into a text file and then uploading the text file to the DFL 500 NPG See Uploading an Exempt URL list Clearing the Exempt URL list Go to Web Filter gt Exempt URL Select Clear URL Exempt List Wto remove all URLs from the Exempt URL list Downloading the Exempt URL list If you make changes to the Exempt URL list using the web based manager you can download the list to a text file using the following procedure Go to Web Filter gt Exempt URL Select Download URL Exempt list E The DFL 500 NPG downloads the list to a text file on the management computer DFL 500 User Manual 76 Uploading an Exempt URL list You can create an Exempt URL list in a text editor and then upload the text file to the DFL 500 NPG Add one URL to each line of the tex
34. your organization use OD Link LANsmart ONovell NetWare ONetWare Lite OSCO Unix Xenix OPC NFS O3Com 3 Open OBanyan Vines ODECnet Pathwork OWindows NT OWindows NTAS OWindows 95 OOthers 5 What network management program does your organization use OD View OHP OpenView Windows OHP OpenView Unix OSunNet Manager ONovell NMS ONetView 6000 OOthers 6 What network medium media does your organization use OFiber optics OThick coax Ethernet OThin coax Ethernet 110BASE T UTP STP 0100BASE TX 01100BASE T4 0100VGAnyLAN OOthers 7 What applications are used on your network ODesktop publishing OSpreadsheet OWord processing DCAD CAM ODatabase management DAccounting DOthers 8 What category best describes your company OAerospace OEngineering OEducation OFinance OHospital OLegal Olnsurance Real Estate OManufacturing ORetail Chainstore Wholesale ODGovernment OTransportation Utilities Communication OVAR OSystem house company OOther 9 Would you recommend your D Link product to a friend OYes ONo ODon t know yet 10 Your comments on this product DFL 500 User Manual 117 DFL 500 User Manual 118 Limited Warranty D Link Systems Inc D Link provides this 1 Year warranty for its product only to the person or entity who originally purchased the product from e D Link or its authorized reseller or distributor e Products purchased and delivered with the fifty United States the District of Columbia US Possession
35. 00 NPG receives an IPSec VPN connection request it starts a remote gateway that matches the connection request The VPN tunnel that starts depends on the source and destination addresses of the IPSec VPN request which the DFL 500 NPG matches with an encrypt policy To add a remote gateway e Goto VPN gt IPSEC gt Remote Gateway e Select New to add a new remote gateway e Configure the remote gateway Enter a name for the gateway The name can contain numbers 0 9 uppercase and Gateway Name lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Remote Gateway Select Static IP Address or Dialup User IP Address If you select Static IP Address the IP Address field appears Enter the IP address of the remote IPSec VPN gateway or client that can connect to the DFL 500 NPG If you select Dialup User the User Group field appears For authentication purposes you can User Group select the group of users that will have access to the remote gateway For information about dialup VPN authentication see About dialup VPN authentication Select Aggressive or Main ID Protection mode Both modes establish a secure channel Main mode offers greater security because identifying information is exchanged after encryption is set up Aggressive mode is less secure because it exchanges identifying Mode information before encryption is set up For both Static IP Address and Dialup User re
36. 133 144 155 blocks access to all pages on this website Enter a top level URL followed by the path and filename to block access to a single page ona website For example www badsite com news html or 122 133 144 155 news html blocks the news page on this website Do not include http in the URL to block To block all pages with a URL that ends with badsite com add badsite com to the block list For example adding badsite com blocks access to www badsite com mail badsite com www finance badsite com and so on DFL 500 User Manual 73 URL blocking does not block access to other services that users can access with a web browser For example URL blocking does not block access to ftp ftp badsite com Instead you can use firewall policies to deny FTP connections e Select Enable to block the URL e Select OK to add the URL to the URL block list You can enter multiple URLs and then select Check All Alto activate all entries in the URL block list Each page of the URL block list displays 100 URLs e Use Page Down and Page Up ito navigate through the URL block list Enable URL Block must be selected at the top of the URL block list for web pages with banned URLs to be blocked You can add URLs to the URL block list by entering them into a text file and then uploading the text file to the DFL 500 NPG See Uploading a URL block list Clearing the URL block list e Goto Web Filter gt URL Block e Select Clear URL Block
37. 4 6522 E MAIL techsup dlink ca URL www dlink ca_ FTP ftp dlinknet com D LINK SOUTH AMERICA Isidora Goyeechea 2934 of 702 Las Condes Santiago Chile S A TEL 56 2 232 3185 FAX 56 2 232 0923 E MAIL ccasassu dlink d tsilva dlink cl URL www dlink cl D LINK CHINA 2F Sigma Building 49 Zhichun Road Haidian District 100080 Beijing China TEL 86 10 88097777 FAX 86 10 88096789 D LINK DENMARK Naverland 2 DK 2600 Glostrup Copenhagen Denmark TEL 45 43 969040 FA X 45 43 424347 E MAIL info dlink dk URL www dlink dk D LINK MIDDLE EAST 7 Assem Ebn Sabet Street Heliopolis Cairo Egypt TEL 202 2456176 FAX 202 2456192 E MAIL support dlink me com URL www dlink me com D Link FINLAND Thili ja Pakkahuone Katajanokanlaituri 5 FIN 00160 Helsinki Finland TEL 358 9 622 91660 FAX 358 9 622 91661 E MAIL info dlink fi com URL www dlink fi com D LINK FRANCE Le Florilege 2 Allee dela Fresnerie 78330 Fontenay le Fleury France TEL 33 1 302 38688 FA X 33 1 3023 8689 E MAIL info dlink francefr_ URL www dlink francefr D LINK Central Europe D Link Deutschland GmbH Schwalbacher Strasse 74 D 65760 Eschborn Germany TEL 49 6196 77990 FAX 49 6196 7799300 INFO LINE 00800 7250 0000 toll free HELP LINE 00800 7250 4000 toll free REPAIR LINE 00800 7250 8000 E MAIL info dlink de URL www dlink de D LINK IBERIA Gran Via de Carlos III 84 3 Edificio Trade 08028 BARCELONA TEL 34934090770 FAX 34 93 4910795 E M
38. AIL info dlinkiberia es URL www dlinkiberia es D LINK INDIA Plot No 5 Kurla Bandra Complex Road Off Cst Road Santacruz E Bombay 400 098 India TEL 91 22 652 6696 FA X 91 22 652 8914 E MAIL service dlink india com URL www dlink india com D LINK ITALIA Via Nino Bonnet No 6 b 20154 Milano Italy TEL 39 02 2900 0676 FAX 39 02 2900 1723 E MAIL info dlink it URL www dlink it D LINK JAPAN 10F 8 8 15 Nishi Gotanda Shinagawa ku Tokyo 141 Japan TEL 81 3 5434 9678 FAX 81 3 5434 9868 E MAIL kida d link co jp URL www d link co jp D LINK NORWAY Waldemar Thranesgt 77 0175 Oslo Norway TEL 47 22 991890 FAX 47 22 207039 D LINK RUSSIA Michurinski Prospekt 49 117607 Moscow Russia TEL 7 095 737 3389 7 095 737 3492 FAX 7 095 737 3390 E MAIL vi dlink ru URL www dlink ru D LINK INTERNATIONAL 1 International Business Park 03 12 The Synergy Singapore 609917 TEL 65 774 6233 FAX 65 774 6322 E MAIL info dlink com sg URL www dlink intl com D LINK SOUTH AFRICA 102 106 Witchhazel Avenue Einetein Park 2 Block B Highveld Technopark Centurion South Africa TEL 27 0 126652165 FAX 27 0 126652186 E MAIL attie d link co za URL www d link co za D LINK SWEDEN P O Box 15036 S 167 15 Bromma Sweden TEL 46 0 8564 61900 FAX 46 0 8564 61901 E MAIL info dlink se URL www dlink se D LINK TAIWAN 2F No 119 Pao Chung Road Hsin Tien Taipei Taiwan TEL 886 2 2910 2626 FAX 886 2 2910 1515 E MAIL
39. Bba ii Remote SPI bb Han Remote Gabeway foar Replay Detection E Eeeryption Algorithm ESP I0bs HMac GHij sir a rnern _ eeteceteecccee Authentication Key oo fGueesneeeeeenees vad enTRPPOD HERD OGRE EE Hex 20 bytes Concentrator Fre m Adding a VPN concentrator You can add VPN tunnels to a VPN concentrator grouping to create a hub and spoke configuration The VPN concentrator allows VPN traffic to pass from one tunnel to the other through the DFL 500 NPG To add a hub and spoke configuration Go to VPN gt IPSec gt Concentrator Select New to add a VPN concentrator Enter the name of the new concentrator in the Concentrator Name field To add tunnels to the VPN concentrator select a VPN tunnel from the Available Tunnels list and select the right arrow To remove tunnels from the VPN concentrator select the tunnel in the Members list and select the left arrow DFL 500 User Manual 60 e Select OK to add the VPN concentrator Adding a VPN concentrator ee EA Mew VPM Compentrator Coscentrator Hame Contentrator I Available Turmels Bema AAGE mineli AolkE pmei_J Martial turra 1 gt Hanual turna AutalkE pune 1 AutolkKE tunnel 7 Manual tunnel i Adding an encrypt policy Add encrypt policies to connect users on your internal network to a VPN tunnel Encrypt policies are always Int gt Ext policies The source of the encrypt policy must be an address on your internal netw
40. D Link DF L 500 Network Security Firewall Manual D Link Building Networks for People DFL 500 User Manual Copyright 2003 D Link Systems Inc All rights reserved No part of this publication including text examples diagrams or illustrations may be reproduced transmitted or translated in any form or by any means electronic mechanical manual optical or otherwise for any purpose without prior written permission of D Link Systems Inc DFL 500 User Manual 2 July 2002 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS DFL 500 User Manual Table of Contents INTOQUCHON cx csassteicacisideereitiasishndcateanaaicedansndcesticasstnbibisedaaiineaseanstionmmemeitneaadds 8 NAT Route mode and Transparent MOdE cesceceeeeeeeeeeeeeesaeeeaaeeeaeeeeaeeeeaeeeeaeeseaeeseaeeseaeeeeaeeesaeeeeaeeeaeeeeaeees 8 NA FROU TODS araroa a des aude AEA tea dood cated aap taal d ae eecddddtaeieael teddies 8 8 Transparent MOGE wa cseshe geste seis Nove bevteseite vied etcwesieectieecvndesteccsieceduenciide sivecsitectinessieensiuesiveeritentlesntenieninesie 8 AOU TAISSCOCUIMO ND iccestths Sache tees E evades aren es 8 For more infOrmMatiOn ceesceesecceseceeneeceeeeeneeceaeeceaeeceaeeceaeeceaeeceaeeceaeeseaeeaeceaaeessaeeeaeseaaeeeaeseeaeeeeaeeeaaeeeaaeeeas 9 Customer service and technical SUPPOM eeec
41. FL 500 NPG so that the SNMP agent running on the DFL 500 NPG can report system information and send traps The DFL 500 agent supports SNMP v1 and v2c System information can be monitored by any SNMP manager configured to get system information from your DFL 500 NPG Your SNMP manager can use GET GET NEXT SNMP operations to communicate with the DFL 500 agent Configuring the DFL 500 NPG for SNMP connections Before a remote SNMP manager can connect to the DFL 500 SNMP agent you must configure one or more DFL 500 NPG interfaces to accept SNMP connections For information about how to do this see Configuring the internal interface and related interface configuration sections Configuring SNMP e Goto System gt Config gt SNMP e Select Enable SNMP e Configure SNMP settings Type a name for this DFL 500 NPG The system name can be up to 31 characters long and can System Name contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Spaces and the lt gt gt amp characters are not allowed DFL 500 User Manual 99 System Location Contact Information Get Community Trap Community Trap Receiver IP Addresses e Select Apply DFL 500 User Manual Describe the physical location of the DFL 500 NPG The system location description can be up to 31 characters long and can contain spaces numbers 0 9 uppercase and lowercase letters A Z a z and the special characters
42. For more information In addition to the DFL 500 User Manual you have access to the following DFL 500 documentation e DFL 500 QuickStart Guide e DFL 500 CLI Reference Guide e DFL 500 online help Customer service and technical support For updated product documentation technical support information and other resources please visit D Link local web site You can contact D Link Technical Support at your local D Link office e See Technical Support To help us provide the support you require please provide the following information e Name e Company Name e Location e Email address e Telephone Number e Software Version e Serial Number e Detailed description of your problem DFL 500 User Manual 9 Getting started This chapter describes unpacking setting up and powering on your DFL 500 NPG When you have completed the procedures in this chapter you can proceed to one of the following e If you are going to run your DFL 500 NPG in NAT Route mode go to NAT Route mode installation e If you are going to run your DFL 500 NPG in Transparent mode go to Transparent mode installation This chapter includes e Package contents e Mounting e Powering on e Initial configuration e Connecting to the web based manager e Connecting to the command line interface CLI e Next steps Package contents The DFL 500 package contains the following items e the DFL 500 NPG e one orange cross over ethernet cable e one gray regul
43. Guard robot searches the web for new URLs to add to the blacklists You can upload the squidGuard blacklists to the DFL 500 NPG as a text file with only minimal editing to remove comments at the top of each list and to combine the lists that you want into a single file All changes made to the URL block list using the web based manager are lost when you upload a new list However you can download your current URL list add more URLs to it using a text editor and then upload the edited list to the DFL 500 NPG e Ina text editor create the list of URLs to block e Using the web based manager go to Web Filter gt URL Block e Select Upload URL Block List e Enter the path and filename of your URL block list text file or select Browse and locate the file e Select OK to upload the file to the DFL 500 NPG e Select Return to display the updated URL block list Each page of the URL block list displays 100 URLs e Use Page Down and Page Up ito navigate through the URL block list e You can continue to maintain the URL block list by making changes to the text file and uploading it again Removing scripts from web pages Use the following procedure to configure the DFL 500 NPG to remove scripts from web pages You can configure the DFL 500 NPG to block Java applets cookies and Activex When the DFL 500 NPG removes Java applets cookies or ActiveX code from a web page the DFL 500 NPG writes a message to the Event log ee Blockin
44. IPSec redundancy IPSec redundancy allows you to create a redundant AutolIKE key IPSec VPN configuration to two remote VPN gateway addresses Se For IPSec redundancy to work both Internet connections must have static IP addresses To configure IPSec redundancy e Add two remote gateways with the same settings including the same authentication key but with different remote gateway addresses See Adding a remote gateway e Add two AutolKE key tunnels with the same settings and add one of the remote gateways to each tunnel See Adding an AutoIKE key VPN tunnel e Add two outgoing encrypt policies DFL 500 User Manual 52 The source and destination of both policies must be the same Add a different AutolKE key tunnel to each policy See Adding an encrypt policy Adding a remote gateway Add a remote gateway configuration to define the parameters that the DFL 500 NPG uses to connect to and establish an AutolIKE key VPN tunnel with a remote VPN gateway or a remote VPN client The remote gateway configuration consists of the IP address of the remote VPN gateway or client as well as the P1 proposal settings required to establish the VPN tunnel To successfully establish a VPN tunnel the remote VPN gateway or client must have the same authentication key and compatible P1 proposal settings You can add one remote gateway and then create multiple AutolKE key tunnels that include the same remote gateway in their configurations When the DFL 5
45. L 500 NPG to start a PPTP session To support PPTP authentication you must add a user group to the DFL 500 NPG configuration This user group can contain users added to the DFL 500 NPG user database RADIUS servers or both After you have added a user group configure your DFL 500 NPG to support PPTP by enabling PPTP and specifying a PPTP address range The PPTP address range is the range of addresses that must be reserved for remote PPTP clients When a remote PPTP client connects to the internal network using PPTP the client computer is assigned an IP address from this range The PPTP address range can be on any subnet Add firewall policies with an external source address to control the access that PPTP clients have through the DFL 500 NPG Add the addresses in the PPTP address range to the external interface address list To make policy configuration easier you can create an address group for PPTP that contains the IP addresses that can be assigned to PPTP clients from the PPTP address range Add addresses to the internal interface address list to control the addresses to which PPTP clients can connect You create Ext gt Int policies to control the access that PPTP users have through the DFL 500 NPG Set the service for the policy to the traffic type inside the PPTP VPN tunnel For example if you want PPTP clients to be able to access a web server set service to HTTP ee Make sure that your ISP supports PPTP connections DFL 500 User
46. List to remove all URLs from the URL block list Changing the URL block message To customize the message that users receive when the DFL 500 NPG blocks web pages e Goto Web Filter gt URL Block e Select Edit Prompt if to edit the URL block message e Change the text of the message You can add HTML code to this message e Select OK to save your changes The DFL 500 NPG display this message when a URL is blocked Downloading the URL block list If you make changes to the URL block list using the web based manager you can download the list to a text file using the following procedure e Goto Web Filter gt URL Block e Select Download URL Block List E The DFL 500 NPG downloads the list to a text file on the management computer Uploading a URL block list You can create a URL block list in a text editor and then upload the text file to the DFL 500 NPG Add one URL to each line of the text file You can follow the URL with a space and then a 1 to enable or a zero 0 to disable the URL If you do not add this information to the text file the DFL 500 NPG automatically enables all URLs in the block list when you upload the text file DFL 500 User Manual 74 You can add a URL list created by a third party URL block or blacklist service For example you can download the squidGuard blacklists available at http www squidguard org blacklist as a starting point for creating your own URL block list Three times a week the squid
47. NPG restarts with the configuration that it had when it was first powered on e Reconnect to the web based manager and review the system configuration to confirm that it has been reset to the default settings You can restore your system settings by uploading a previously downloaded system settings text file to the DFL 500 NPG Changing to Transparent mode Use the following procedure if you want to switch the DFL 500 NPG from NAT Route mode to Transparent mode Changing to Transparent mode deletes all NAT Route mode policies and addresses In addition any routing Se set in NAT Route mode is also deleted This includes the default route that is part of the default NAT Route configuration e Goto System gt Status e Select Change to Transparent Mode e Select Transparent in the operation mode list e Select OK The DFL 500 NPG changes operation mode e To reconnect to the web based manager connect to the interface configured for Transparent mode management access and browse to https followed by the Transparent mode management IP address By default in Transparent mode you can connect to the internal interface The default Transparent mode management IP address is 10 10 10 1 See Configuring the management interface Transparent mode Changing to NAT Route mode Use the following procedure if you want to switch the DFL 500 NPG from Transparent mode to NAT Route mode Changing to NAT Route mode deletes all Transparent mode polic
48. P PPTP configuration remote gateway testing viewing dialup connection status VPN events alert email VPN tunnel adding AutolIKE key adding manual key tunnel AutolKE authentication key DFL 500 User Manual 114 name viewing status w web content filtering ActiveX cookies enabling Java applets Web filter policy option web pages content blocking web based manager changing options connecting to language timeout WebTrends recording logs on a WebTrends server whitelist URL wizard firewall setup starting DFL 500 User Manual 115 Technical Support D Link Offices AUSTRALIA BENELUX CANADA CHILE CHINA DENMARK EGYPT FINLAND FRANCE GERMANY IBERIA INDIA ITALY JAPAN NORWAY RUSSIA SINGAPORE S AFRICA SWEDEN TAIWAN UK U S A D LINK AUSTRALIA Unit 16 390 Eastern Valley Way Roseville NSW 2069 Australia TEL 61 2 9417 7100 FAX 61 2 9417 1077 TOLL FREE 1800 177 100 A ustralia 0800 900900 N ew Zealand E MAIL support dlink com au info dlink com au URL www dlink com au D LINK BENELUX Fellenoord 130 5611 ZB Eindhoven The Netherlands TEL 31 40 2668713 FAX 31 40 2668666 E MAIL info dlink benelux nl info dlink benelux be URL www dlink benelux nl www dlink benelux be D LINK CANADA 2180 Winston Park Drive Oakville Ontario LGH 5W1 Canada TEL 1 905 829 5033 FAX 1 905 829 5095 FREE CALL 1 800 35
49. P clients have through the DFL 500 NPG Add the addresses in the L2TP address range to the external interface address list To make policy configuration easier you can create an address group for L2TP that contains the IP addresses that can be assigned to L2TP clients from the L2TP address range Add addresses to the internal interface address list to control the addresses to which L2TP clients can connect You create Ext gt Int policies to control the access that L2TP users have through the DFL 500 NPG Set the service for the policy to the traffic type inside the L2TP VPN tunnel For example if you want L2TP clients to be able to access a web server set service to HTTP Configuring the DFL 500 NPG as an L2TP gateway e Create a user group for your L2TP users See Users and authentication e Goto VPN gt L2TP gt L2TP Range DFL 500 User Manual 69 e Select Enable L2TP e Enter the Starting IP and the Ending IP for the L2TP address range e Select the User Group that you added in step Create a user group for your L2TP users e Select Apply to enable L2TP through the DFL 500 NPG Sample L2TP address range configuration LITP Range amp Enable LTP Starting IP 192 168 1 200 Ending IF 192 168 1201 Uzer Group LeTP_wusers Disable LITP When using a RADIUS server for user authentication PPTP and L2TP encryption is not supported and you should not select Require data encryption when configuring Windows cli
50. PPTP e The DFL 500 L2TP configuration L2TP VPN configuration Only users in the selected user group can use L2TP If you add a user group to a policy or remote gateway or to your PPTP or L2TP configuration do not delete the user group until you remove it from the policy remote gateway or configuration This section describes e Adding user groups e Deleting user groups Adding user groups To add a user group e Go to User gt User Group e Select New to add a new user group e Enter a Group Name to identify the user group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed e To add users to the user group select a user from the Available Users list and select the right arrow to add the name to the Members list e To adda RADIUS server to the user group select a RADIUS server from the Available Users list and select the right arrow to add the RADIUS server to the Members list DFL 500 User Manual 46 Adding a user group User Group New User Group Group Narmer PPTP_User_Growp Available Users Members e Toremove users or RADIUS servers from the user group select a user or RADIUS server from the Members list and select the left arrow to remove the name or RADIUS server from the group e Select OK Deleting user groups You cannot delete user groups that have been selected in a polic
51. PSec VPN configuration D Link has tested DFL 500 VPN interoperability with the following third party products NetScreen Internet security appliances SonicWALL PRO firewall Cisco PIX firewall Cisco IOS router Check Point NG firewall Check Point NG 1 firewall Check Point FP 1 firewall Check Point FP 2 firewall Check Point FP 3 firewall Linksys firewall router SafeNet IPSec VPN client Secure Computing Sidewinder SSH Sentinel For more information about DFL 500 VPN interoperability contact D Link technical support Configuring AutolIKE key IPSec VPN An AutolKE key VPN configuration consists of a remote gateway an AutolIKE key VPN tunnel the source and destination addresses for both ends of the tunnel and an encrypt policy to control access to the VPN tunnel Normally an AutolKE key VPN tunnel requires one remote gateway This can be a gateway with a static IP address or a dialup gateway For IPSec redundancy you can add up to three remote gateways with static IP addresses to an AutolKE key tunnel For information about IPSec redundancy see Configuring IPSec redundancy To create an AutolKE key VPN configuration DFL 500 User Manual Add a remote gateway See Adding a remote gateway Add an AutolKE key VPN tunnel that includes the remote gateway that you added in step 1 See Adding an AutoIKE key VPN tunnel Add an encrypt policy that includes the tunnel source address and destination address for both ends of the tunnel
52. Pool e Select the interface to which to add the IP pool The list of IP pools added to that interface is displayed e Select New to add a new IP pool to the selected interface e Enter the Start IP and End IP address for the range of addresses in the IP pool The Start IP and End IP must define the start and end of an address range The Start IP must be lower than the End IP The Start IP and End IP must be on the same subnet as the IP address of the interface for which you are adding the IP pool If you have configured the external interface to use PPPoE or DHCP you can only set the Start IP and End IP to the current IP address of the external interface e Select OK The IP pool can be added to NAT policies with a destination that is the interface to which you have added the IP pool For example IP pools for the external interface can be added to Int gt Ext policies DFL 500 User Manual 39 Adding an IP Pool wena ES Bhi Dynamit IF Vos Start 1P 192 1081 10 od ie CALEN Loom Cem IP MAC binding IP MAC binding protects the DFL 500 NPG and your network from IP spoofing attacks IP spoofing attempts to use the IP address of a trusted computer to connect to or through the firewall from a different computer The IP address of a computer can easily be changed to a trusted address but MAC addresses are added to ethernet cards at the factory and cannot easily be changed You can enter the static IP addresses and correspon
53. R R 63 Viewing dialup VPN connection status cceeeeceeeceneceeneeceeeeceneeeeaeeceaeeseaeeeeaeeceaeeceaeseeaeeseaeeseaeeneaeeeaeessaneesas 64 TPOSTING ee WIPIN a a a T E da ahupa anne oa 64 PP a le PNG sae veccccccccentiacansecivtareeennainicontnrceeenest seeriasevoemenesassenes 66 PPILP VPN iCOnfiQurathony 2t0 iccicccthsccesielsnadeanduceesdeasccdinageannelanddeandghanadeauagianadeanagienddpaeageanaueaneenetdeva leis cetcened 66 Configuring the DFL 500 NPG as a PPTP gatewaly eeeccececeeeeeeeeeeeeeeeeeeeeeeeeeeseneeeeeaeeeeeeeeeaeseaaeeeaaeeaes 67 LAIP VPN COMMQUFATION oein T cuter cucu stunned chad eben ebenceave S 69 Configuring the DFL 500 NPG as an L2TP gateway ecceecceseseeeeeeeeeeeeeeeeeeeeeeeeeeeeeaeeeeeeesaeeseaeeeeaeeeaes 69 Wep CONTEST TUBING isasisiscscnnnsevnsacccndsianinanadadiseanandinnacatacadninsansiisnmreneanaiiinient 71 Enabling web content Filt ring ceecceeeeceeeeceeeeeeeeeeeeeeeeeeaeeesaeeeeaeeeeaeeesaeeesaeesaaeeeseeeeseeeseeeeseeseeeeeeeeseneeeeeees 71 Blocking web pages that contain Unwanted CONTENL eeceeeeceeneeeeeeeeeeeeeeeeeeeeeeeeneeseaaeseeaeeeaaeseeaeeeeaeeeaeeesas 71 Configuring content filtering ee eee eeseeeeseceeseeceseeeeaeeeeaeeeeaeeeeaeeseaeessaeeseaeeeaees N E 71 Clearing the banned word list ccceeeceeeeceeeeeeeeeeeeeeeeesaeeesaeesaeeeeeaeesaaeesaeeeeaaeeseaeeseeesaeeseeeseeeeseeeeeneeeenees 72 Changing the content block MESSAGE eeeeeceeeeeeeeeeeeneeeeee
54. Refresh to update the information displayed e You can select Clear iif to stop any active communication session DFL 500 User Manual 86 System status monitor CPU usage 0 00 used 99 55 idle 0 00 interrupt Memory usage 03 58 used Uptime O days 13 hours 14 minutas Total Number of Sessions BS Ss A Protocol From iP Frem To IP To Port Expire Clear Phat Shere tcp 1 2 108 100 00 3610 172 168d 100 135 443 799 tep 192 168 100 980 3611 192 168 100 136 443 298 i At the top of the display the system status monitor shows CPU usage The current CPU usage statistics of the DFL 500 NPG Memory usage The percentage of available memory being used by the DFL 500 NPG Up time The number of days hours and minutes since the DFL 500 NPG was last started Total Number of Sessions The total number of active communication sessions to and through the DFL 500 NPG Each line of the system status monitor displays the following information about each active firewall connection Protocol The service type or protocol of the connection From IP The source IP address of the connection From Port The source port of the connection To IP The destination IP address of the connection To Port The destination port of the connection Expire The time in seconds before the connection expires Clear Stop and active communication session Network configuration Go to System gt Network to make any of the following changes to t
55. See PFS About perfect forward secrecy PFS DH Group Select the Diffie Hellman group to propose for phase 2 of the IPSec VPN connection You can select one DH group Select 1 2 or 5 See About DH groups Specify the keylife for phase 2 The keylife causes the phase 2 key to expire after a specified amount of time after a specified number of kbytes of data have been processed by the VPN tunnel or both If you select both the key does not expire until both the time has passed and the number of kbytes have been processed When the key expires a new key is generated without interrupting service P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 99999 kbytes Keylife DFL 500 User Manual 57 Autokey Keep Enable Autokey Keep Alive to keep the VPN tunnel running even if no data is being Alive processed Select a concentrator if you want the tunnel to be part of a hub and spoke VPN Concentrator configuration If you use the procedure Adding a VPN concentrator to add the tunnel to a concentrator the next time you open the tunnel the Concentrator field displays the name of the concentrator to which you have added the tunnel e Select OK to save the AutolIKE key VPN tunnel Adding an AutolKE key VPN tunnel EEE MERE E Cusventraton ola Mostar Turmel M me IKE Tanned Remote Gateway STATIC a Be Proposal L Enoryotion 2065 suthenticatian SHAl 2 Enerymton 2065 Authenticaton
56. Select Delete iif to remove a route from the routing table Enabling RIP server support Enable routing information protocol RIP server support to configure the DFL 500 NPG to act like a RIP server The RIP routing protocol maintains up to date dynamic routing tables between nearby routers When you enable RIP server support the DFL 500 NPG acts like a RIP server broadcasting RIP packets to other nearby routers to e request network updates from nearby routers e send its own routing tables to other routers e announce that the DFL 500 RIP server is going online RIP server turned on and requesting updates e announce that the DFL 500 RIP server is shutting down and will stop sharing routing information To enable RIP server support e Goto System gt Network gt Routing Table e Select Enable RIP Server Adding routes Transparent mode Use the following procedure to add routes when running the DFL 500 NPG in Transparent mode e Goto System gt Network gt Routing e Select New to add a new route e Enter the Destination IP address and Netmask for the route e Enter the Gateway IP address for the route e Select OK to save the new route DFL 500 User Manual 94 e Repeat these steps to add more routes as required Providing DHCP services to your internal network If the DFL 500 NPG is operating in NAT Route mode you can configure it to be the DHCP server for your internal network e Goto System gt Network gt DHCP e
57. Select Enable DHCP e Configure the DHCP settings Starting IP Ending IP Netmask Lease Duration Domain DNS IP Default Route Exclusion Range Enter Starting IP and the Ending IP to configure the range of IP addresses that the DFL 500 NPG can assign to DHCP clients The addresses must be addresses on your internal network Enter the Netmask that the DFL 500 NPG assigns to the DHCP clients Enter the interval in seconds after which a DHCP client must ask the DHCP server for a new address The lease duration must be between 300 and 604800 seconds Optionally enter in the domain that the DHCP server assigns to the DHCP clients Enter the IP addresses of up to 3 DNS servers that the DHCP clients can use for looking up domain names Enter the default route to be assigned to DHCP clients The default route should be on the same subnet as the Starting and Ending IP addresses Optionally enter up to 4 exclusion ranges of IP addresses within the starting IP and ending IP addresses that cannot be assigned to DHCP clients e Select Apply e Configure the IP network settings of the computers on your network to obtain an IP address automatically using DHCP DFL 500 User Manual 95 Sample DHCP settings Enable DHCP F Starting IF fiez1e8 100 1 Dynamic IP List Ending IP 192 168 100 948 Netmask 255 255 2550 _ Leara Duration nao ooo cond Domain Fortinet_com DNS IP 192 168 1005 fie 168 100 98 De
58. The CLI displays the status of the DFL 500 The last line shows the current operation mode Version DLINK 500 2 36 build075 030604 Serial Number FGT 502801021075 Operation mode Transparent Configuring the Transparent mode management IP address e Log into the CLI if you are not already logged in e Set the IP address and netmask of the Management IP to the IP address and netmask that you recorded in Transparent mode settings Enter set system management ip lt IP address gt lt netmask gt Example set system management ip 10 10 10 2 255 255 255 0 e Confirm that the address is correct Enter get system management DFL 500 User Manual 20 The CLI lists the Management IP address and netmask Configure the Transparent mode default gateway e Login to the CLI if you are not already logged in e Set the default route to the Default Gateway that you recorded in Transparent mode settings Enter set system route number lt number gt gateway lt IP address gt Example set system route number 1 gateway 204 23 1 2 You have now completed the initial configuration of the DFL 500 NPG and you can proceed to the next section Setting the date and time For effective scheduling and logging the DFL 500 NPG date and time should be accurate You can either manually set the time or you can configure the DFL 500 NPG to automatically keep its time correct by synchronizing with a Network Time Protocol NTP server To set the DFL 500 NPG da
59. Z a z and the special characters and _ Other special characters and spaces are not allowed Require the user to authenticate to a RADIUS server Select the name of the RADIUS server to RADIUS which the user must authenticate You can only select a RADIUS server that has been added to the DFL 500 RADIUS configuration See Configuring RADIUS support e Select Try other servers if connect to selected server fails if you want the DFL 500 NPG to try to connect to other RADIUS servers added to the DFL 500 RADIUS configuration e Select OK Deleting user names from the internal database If you delete a user the user is also removed from any user groups that it has been added to e Goto User gt Local e Select Delete User iif for the user name to delete e Select OK DFL 500 User Manual 44 ee Deleting the user name deletes the authentication configured for the user Configuring RADIUS support If you have configured RADIUS support and a user is required to authenticate using a RADIUS server the DFL 500 NPG contacts the RADIUS server for authentication When using a RADIUS server for user authentication PPTP and L2TP encryption is not supported and you should not select Require data encryption when configuring Windows clients for PPTP or L2TP This section describes e Adding RADIUS servers e Deleting RADIUS servers Adding RADIUS servers To configure the DFL 500 NPG for RADIUS authentication e Goto User gt RADIUS
60. _ Other special characters and spaces are not allowed DFL 500 User Manual 34 e Set the Start date and time for the schedule Set Start and Stop times to 00 for the schedule to cover the entire day e Set the Stop date and time for the schedule Ee One time schedules use the 24 hour clock e Select OK to add the one time schedule Creating recurring schedules You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week For example if your DFL 500 NPG is protecting a home office you may wish to provide access to different services during working hours than you do on evenings and weekends If you create a recurring schedule with a stop time that occurs before the start time the schedule will start at the start time and finish at the stop time on the next day You can use this technique to create recurring schedules that run from one day to the next You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time e Go to Firewall gt Schedule gt Recurring e Select New to create a new schedule e Enter a Name for the schedule The name can contain numbers 0 9 uppercase and lower case letters A Z a z and the special characters and _ Other special characters and spaces are not allowed e Select the days of the week on which the schedule should be active e Set the Start and Stop hours in be
61. aeeeaeeseaeeees 37 Adding policies wih virtual IPS sesers E hatte vehi ie ieetieens 38 UF POO ONS E seats Seca bce Saver ees Sal Sette Sei de TEE E E E T E S E E e O E 39 IPIMAG BINGING seirinin a aaa a ADG Ta NTRA audited 40 Configuring IP MAC binding for packets going through the firewall c ceceeeeeeeeeeeeeeeeeseeeeseeeeeeneeeeees 40 Configuring IP MAC binding for packets going to the firewall eeeeseeeeeeeeeeeeeseeerseirsrrnsresrsrirsrersnsns 41 Adding IP MAC addresses ccsescesecceseceeeeeceseneesenceesnecesneesneeesaeeesaeeesaeesaeeeaeeseeeeeaeeseaesesesesaeeseaeetsas 41 Viewing the dynamic IP MAG S onransa a S leet 42 Enabling IP MAC binding ceccceesseeeeeeeeeneeesaecenaeeeaeeeeaeeeeaaeseaaecsaeeeeaeeseaaeseaeeseaeeseaeeseaeeseaeseaeeeeaeeseaeeesas 42 Users SIG AUTHOMUCAUIONN scsadessecenteasdescedansecesntzsddadineinidaddicannisansannentannanniicenes 43 SSING AUTMSNCATOM Ume OUtessesia ates sah fadn ala E tests ata fa Soa ta ofa cute E 43 Adding user names and configuring aUthentiCation ceecceeeeceneeceneeeeeeeeeaeeceaeeeeaeeeeaeeeaaeeeaaeeeaaeeeeeeeaeeees 43 Adding user names and configuring authentication ee eeeeeeceeeee eset eeeeeeeeeeeeeeeeeeaaeseneeseaeeeeaeeeeaaeeeaeeesas 43 Deleting user names from the internal database ceecceeeceeeeeeceeeeceeeeeeeeeeaeeceaeeeeaeeeeaeeeaaeeesaeeeeaeenaaeeeas 44 Configuring RADIUS SUpport ee eeeeeeceeseeeeneeeeneeee
62. al about NAT Route mode Nat traversal IPSec VPN Remote Gateway netmask administrator account network address translation introduction network configuration changing NTP setting system date and time 0 one time schedule creating operating mode changing P P1 proposal about IPSec VPN remote gateway P2 proposal about IPSec AutolKE key VPN tunnel password adding PAT perfect forward secrecy about enabling PFS about IPSec AutolKE key VPN tunnel PING management access policy adding IPSec firewall policy adding L2TP firewall policy adding PPTP firewall policy adding Transparent mode arranging in the policy list disabling enabling matching policy mode firewall POP3 port address translation port forwarding virtual IP power requirements powering on PPPoE DFL 500 User Manual 110 external interface PPTP adding firewall policy configuring configuring gateway definition enabling ending IP network configuration starting IP user groups VPN configuration PPTP gateway configuring pre defined services protocol system status R RADIUS adding server address example configuration read amp write administrator account read only administrator account recurring schedule creating remote gateway adding 55 IPSec AutolKE key VPN tunnel IPSec VPN IPSec VPN manual key IPSec VPN remote gateway user groups remote SPI IPSec VPN manual key removing scripts from
63. an also select DENY to deny access NAT Select NAT if the firewall is protecting the private addresses on the destination network from the source network Optionally select Authentication and select a user group to require users to authenticate with the Authentication f A firewall before accessing the server using port forwarding Log Traffi f f Web fiktar Select these options to log port forwarded traffic and apply web filter protection to this traffic e Select OK to save the policy IP pools An IP pool also called a dynamic IP pool is a range of IP addresses added to a firewall interface The addresses in the IP pool must be on the same subnet as the IP address of the interface You can add multiple IP pools to each interface Add an IP pool if you want to add NAT mode policies that translate source addresses to addresses randomly selected from a predefined range of IP addresses For example if the IP address of the internal interface is 192 168 1 99 a valid IP pool could have a start IP of 192 168 1 10 and an end IP of 192 168 1 20 This IP pool would give the firewall 11 addresses to select from when translating the source address If you add IP pools for an interface you can select Dynamic IP Pool when you configure a policy with its destination set to this interface If you add IP pools for the internal interface you can select IP pools for Ext gt Int policies To add an IP pool e Go to Firewall gt IP
64. ar ethernet cable e one null modem cable e DFL 500 QuickStart Guide e A CD containing this DFL 500 User Manual and the DFL 500 CLI Reference Guide e one AC adapter DFL 500 package contents DOS OP Mounting The DFL 500 NPG can be installed on any stable surface Make sure that the appliance has at least 1 5 in 3 75 cm of clearance on each side to allow for adequate air flow and cooling DFL 500 User Manual 10 Dimensions e 8 63 x 6 13 x 1 38 in 21 9 x 15 6 x 3 5 cm Weight e 1 5 lb 0 68 kg Power requirements e DC input voltage 5 V e DC input current 3A Environmental specifications e Operating temperature 32 to 104 F 0 to 40 C e Storage temperature 13 to 158 F 25 to 70 C e Humidity 5 to 95 non condensing Powering on To power on the DFL 500 NPG e Connect the AC adapter to the power connection at the back of the DFL 500 NPG e Connect the AC adapter to a power outlet The DFL 500 NPG starts up The Power and Status lights light The Status light flashes while the DFL 500 NPG is starting up and remains lit when the system is up and running DFL a nten LED indicators LED State Description a ess s sSSS Power Green The DFL 500 NPG is powered on The DFL 500 NPG is powered off Flashing Green The DFL 500 NPG is starting up Status Green The DFL 500 NPG is running normally The DFL 500 NPG is powered off Green The correct cable is in use and the connected equi
65. ch administrators can access the web based manager See Adding and editing administrator accounts Changing the external interface MTU size to improve network performance To improve the performance of your internet connection you can adjust the maximum transmission unit MTU of the packets that the DFL 500 NPG transmits from its external interface Ideally you want this MTU to be the same as the smallest MTU of all the networks between the DFL 500 NPG and the Internet If the packets that the DFL 500 NPG sends are larger they get broken up or fragmented which slows down transmission speeds Trial and error is the only sure way of finding the optimal MTU but there are some guidelines that can help For example the MTU of many PPP connections is 576 so if you connect to the Internet via PPP or PPPoE you might want to set the MTU size to 576 DSL modems also have small MTU sizes Most ethernet networks have an MTU of 1500 ee If the external interface is configured using PPPoE MTU may be negotiated by the PPPoE protocol If this is the case the system may override manual MTU settings ee If you connect to your ISP using DHCP to obtain an IP address for the external interface you cannot set the MTU below 576 bytes due to DHCP communication standards To change the MTU size of the packets leaving the external interface e Goto System gt Network gt Interface e For the external interface select Modify 7 e Select Fragment outgoing
66. coduataSeectnn casletesta ivactu sed ce feast acy antd Aa etvacg hats elblivia het aten ites wea 84 Restoring system settings to factory defaults cece eeeeennecenneeeeeeeeeaecesaeeeeaeeeaaeseaaeseaaeseaaeseaaeeeaaeeeaeeeeas 84 Changing to Transparent MOC eeccceeeceeeeeeeeeeeeeeeeeaeeeesaeeeaeeeeaeeeseeesseeeeaeeeseeesaeeeseeesaeeeseeeeteneteneeeenees 85 Changing to NAT ROUtC MOdE ccceececeeceeeeeeeeeeeeeeeeeeneeeeeeeesaeeeaaeeeeaeeesaeeeaaeeseaeeeeaeeseaeeseaeeseneeseeeeeeeeeeeees 85 Restarting the DFL 500 NPG scisti escssssesececeesceseeceseaceseaeeseaaeseaaesaeeeaeesaaeseaeesaeeseaaesneeeeeeeenaesneeeeneeetaas 86 Shutting down the DFL 500 NPG siiscstcdeetisestedeetaediheldielidelanslatiiadiahelaglaiinlaiiaidatainenis 86 System Status MONON ss sesccsececsede svete ceseesseeesecneetnecstecsdeesetiedenessetessdnessnieysbnnesbieesdeeesdieetenessunesanevennenndeiueas 86 INGtWOrk CONMPMQUPATION cviuevcten conti vedad ts loersdad dace tvean vena valde vai tvenn veda ved E RO 87 Configuring the internal interface eeeeeceeeeceeeeeeeeeeeeeeeeeeeeeeeeeseeeeesaeesneeseeeseeeeeeesneeseeeeseeeeseeeteeeeeeeees 88 Configuring the external interface ee ceeceeseceeseeeceeeeceeeeeeeeeeeeeeeaeeesaeeeeaeeeeaeeseaeeeseeseaeeeaeeseneeseeeeeneeeeeees 88 Configuring the management interface Transparent mode cecceeceeeeeceeeeeeeeeeeeeeeeeeeeseeeeseeeteneeteaees 92 Setting DNS server AddreSSes eeceeeceesseeesneeescc
67. d e Select the Protocol either TCP or UDP used by the service e Specify a Source and Destination Port number range for the service by entering the low and high port numbers If the service uses one port number enter this number into both the low and high fields e If the service has more than one port range select Add to specify additional protocols and port ranges If you mistakenly add too many port range rows select Delete I to remove each extra row e Select OK to add the custom service You can now add this custom service to a policy Grouping services To make it easier to add policies you can create groups of services and then add one policy to provide access to or block access for all the services in the group A service group can contain predefined services and custom services in any combination You cannot add service groups to another service group To add a service group e Go to Firewall gt Service gt Group e Select New e Enter a Group Name to identify the group This name appears in the service list when you add a policy and cannot be the same as a predefined service name The name can contain numbers 0 9 upper case and lower case letters A Z a z and the special characters and _ Other special characters and spaces are not allowed DFL 500 User Manual 33 Adding a service group Es Mew Seonioe Group Group Mame HTTP Garibi Aralabie Services Moambars DNS HTT HTTPS e To
68. ddress list represents the IP addresses of all computers on the Internet You can add edit and delete all other addresses as required You can also organize related addresses into address groups to simplify policy creation This section describes e Adding addresses e Deleting addresses e Organizing addresses into address groups DFL 500 User Manual 30 Adding addresses Go to Firewall gt Address Select the interface to which to add the address The list of addresses added to that interface is displayed Select New to add a new address to the selected interface Enter an Address Name to identify the address The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Spaces and other special characters are not allowed Adding a firewall address menai EEE Address Mame web Server IP Address 192 168 2 3 Netmask 255 255 255 0 Enter the IP Address The IP address can be the IP address of a single computer for example 192 45 46 45 or the address of a subnetwork for example 192 168 1 0 The address must be a valid address for one of the networks or computers connected to the interface Enter the NetMask The netmask should correspond to the address The netmask for the IP address of a single computer should be 255 255 255 255 The netmask for a subnet should be 255 255 255 0 Select OK to add the address Deleting addresses Delete an address to mak
69. de provides firewall protection to a pre existing network with public addresses The internal and external network interfaces of the DFL 500 NPG must be in the same subnet and the DFL 500 NPG can be inserted into your network at any point without the need to make any changes to your network About this document This user manual describes how to install and configure the DFL 500 NPG This document contains the following information e Getting started describes unpacking mounting and powering on the DFL 500 NPG e NAT Route mode installation describes how to install the DFL 500 NPG if you are planning on running it in NAT Route mode e Transparent mode installation describes how to install the DFL 500 NPG if you are planning on running it in Transparent mode e Firewall configuration describes how to configure firewall policies to enhance firewall protection e IPSec VPNs describes how to configure DFL 500 IPSec VPN e PPTP and L2TP VPNs describes how to configure PPTP and L2TP VPNs between the DFL 500 NPG and a Windows client e Web content filtering describes how to configure web content filters to prevent unwanted web content from passing through the DFL 500 NPG e Logging and reporting describes how to configure logging and reporting to track activity through the DFL 500 NPG DFL 500 User Manual e Administration describes DFL 500 management and administrative tasks e The Glossary defines many of the terms used in this document
70. ding MAC addresses of trusted computers in the Static IP MAC table If you have trusted computers with dynamic IP addresses that are set by the DFL 500 DHCP server the firewall adds these IP addresses and their corresponding MAC addresses to the Dynamic IP MAC table See Providing DHCP services to your internal network The dynamic IP MAC binding table is not available in Transparent mode IP MAC binding can be enabled for packets connecting to the firewall or passing through the firewall If you enable IP MAC binding and change the IP address of a computer with an IP address or MAC address sd in the IP MAC list you must also change the entry in the IP MAC list or the computer will not have access to or through the firewall You must also add the IP MAC address pair of any new computer that you add to your network or this computer will not have access to or through the firewall This section describes e Configuring IP MAC binding for packets going through the firewall e Configuring IP MAC binding for packets going to the firewall e Adding IP MAC addresses e Viewing the dynamic IP MAC list e Enabling IP MAC binding Configuring IP MAC binding for packets going through the firewall Use the following procedure to use IP MAC binding to filter packets that would normally be matched with firewall policies to be able to go through the firewall e Go to Firewall gt IP MAC Binding gt Setting e Select Enable IP MAC binding g
71. e e Configuring the routing table e Enabling RIP server support e Adding routes Transparent mode Adding routing gateways The first step in configuring DFL 500 NPG routing is to add routing gateways Routing gateways are the gateways on your network that you want to route DFL 500 NPG traffic to You can add the IP address of each routing gateway and you can also optionally configure the DFL 500 NPG to ping the routing gateway at a specified time interval to make sure that the DFL 500 NPG can communicate with the routing gateway To add a routing gateway e Goto System gt Network gt Routing Gateway e Select New to add a new routing gateway e Enter the IP address of the routing gateway This IP address should be on the same subnet as the DFL 500 NPG interface that connects to this gateway e Select Dead gateway detection if you want the DFL 500 NPG to confirm connectivity with the gateway DFL 500 User Manual 92 If you select dead gateway detection you can also configure ping target detection interval and Fail over detection for the routing gateway Set Ping Target to the IP address that the DFL 500 NPG should ping to test connectivity with the gateway The ping target could be the IP address of the gateway but it is more useful if it is the IP address of a server on the other side of the gateway that will respond to pings in a reliable manner Set Detection Interval to specify how often the DFL 500 NPG tests the connect
72. e firewall setup wizard starting firmware upgrading DFL 500 User Manual 106 first trap receiver IP address SNMP fixed port policy option from IP system status from port system status G gateway adding remote gateway IPSec VPN remote gateway name routing get community SNMP group address grouping services H HTTP enabling web content filtering HTTPS hub and spoke VPN CMP rotection mode IPSec VPN remote gateway A U p E gt P internal address example internal address group example internal interface configuring internal network configuring Internet key exchange interoperability third party products IP Address IPSec VPN Remote Gateway IP addresses configuring from the CLI IP pool adding IP MAC binding adding allow traffic block traffic dynamic IP MAC list enabling static IP MAC list DFL 500 User Manual 107 IPSec IPSec VPN adding firewall policy AutolKE key AutolKE key remote gateway AutolIKE key VPN tunnel compatibility with IPSec VPN products concentrator configuring remote gateway definition dialup VPN features hub and spoke manual key manual key exchange VPN tunnel remote gateway status timeout user groups viewing tunnel status IPSec VPN tunnel adding AutolKE key tunnel adding manual key tunnel enabling perfect forward secrecy PFS enabling replay detection keep alive keylife P2 proposal PFS remote gateway
73. e Configuring user groups Setting authentication time out To set authentication time out using the web based manager e Goto System gt Config gt Options e Set Auth Timeout to control how long authenticated firewall connections can remain idle before users must authenticate again to get access through the firewall The default authentication time out is 15 minutes Adding user names and configuring authentication Use the following procedures to add user names and configure authentication This section describes e Adding user names and configuring authentication e Deleting user names from the internal database Adding user names and configuring authentication e Goto User gt Local DFL 500 User Manual 43 e Select New to add a new user name Adding a user name Local Ma User User Mame juse 2z F pliable C passord pa O w Radius kaas C Try other servers if connect to selected server fails ae ee e Enter the user name The user name can contain numbers 0 9 and uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed e Select one of the following authentication configurations Disable Prevent this user from authenticating Enter the password that this user must use to authenticate The password should be at least six Password characters long The password can contain numbers 0 9 uppercase and lowercase letters A
74. e Select New to add a new RADIUS server e Enter the name of the RADIUS server You can enter any name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed e Enter the domain name or IP address of the RADIUS server e Enter the RADIUS server secret e Select OK Example RADIUS configuration RACERS aries freartin 1 Garver amiji 2a06467 47 SererSecret Secret_l F C Deleting RADIUS servers You cannot delete RADIUS servers that have been added to user groups e Goto User gt RADIUS e Select Delete ilf beside the RADIUS server name that you want to delete e Select OK DFL 500 User Manual 45 Configuring user groups Use the following information to add user groups to your DFL 500 configuration You can add user names and RADIUS servers to user groups You can then add user groups to e Policies that require authentication Adding NAT Route mode policies and Adding NAT Route mode policies Only users in the selected user group or that can authenticate with the RADIUS servers added to the user group can authenticate with these policies e IPSec VPN Remote Gateways for dial up users Configuring dialup VPN Only users in the selected user group can authenticate with this Remote Gateway e The DFL 500 PPTP configuration PPTP VPN configuration Only users in the selected user group can use
75. e and select Move To G to change its order in the policy list e Type a number in the Move to field to specify where in the policy list to move the policy and select OK e Select Delete iif to remove a policy from the list Enabling and disabling policies You can enable and disable policies in the policy list to control whether the policy is active or not The firewall matches enabled policies but does not match disabled policies Disabling a policy Disable a policy to temporarily prevent the firewall from selecting the policy e Go to Firewall gt Policy e Select the tab for the policy list containing the policy to disable e Clear the check box of the policy to disable Enabling a policy Enable a policy that has been disabled so that the firewall can match connections with the policy e Go to Firewall gt Policy e Select the tab for the policy list containing the policy to enable e Select the check box of the policy to enable Addresses All policies require source and destination addresses To add an address to a policy between two interfaces you must first add addresses to the address list for each interface These addresses must be valid addresses for the network connected to that interface By default the firewall includes two addresses that cannot be edited or deleted e Internal_All on the internal address list represents the IP addresses of all computers on your internal network e External_All on the external a
76. e it unavailable for use by policies If an address is included in any policy it cannot be deleted unless it is first removed from the policy Go to Firewall gt Address Select the interface list containing the address that you want to delete You can delete any listed address that has a Delete Address icon Choose an address to delete and select Delete Select OK to delete the address DFL 500 User Manual 31 Organizing addresses into address groups You can organize related addresses into address groups to make it easier to add policies For example if you add three addresses and then add them to an address group you only have to add one policy for the address group rather than three separate policies one for each address You can add address groups to both interfaces The address group can only contain addresses from that interface Address groups are available in interface source or destination address lists Address groups cannot have the same names as individual addresses If an address group is included in a policy it cannot be deleted unless it is first removed from the policy e Go to Firewall gt Address gt Group e Select the interface list to which to add the address group New Int Group or New Ext Group Adding an internal address group New Address Group Group Name linternal_ Group Available Addresses Members e Enter a Group Name to identify the address group The name can contain numbers 0 9 u
77. e web content filtering Go to Firewall gt Policy e Select a policy list that contains policies for which you want to enable web content protection e Select New to add a new policy or choose a policy to edit and select Edit The policy must have Service set to ANY HTTP or a service group that includes HTTP See Adding NAT Route mode policies or Adding Transparent mode policies e Select Web filter to enable web content filtering protection for this policy Select show settings to view the current web content filtering configuration e Select OK to save the policy e Repeat this procedure for any HTTP policies for which to enable web content filtering Blocking web pages that contain unwanted content Block web pages that contain unwanted content by selecting Web filter in firewall policies enabling content blocking and then creating a list of banned words and phrases When the DFL 500 NPG blocks a web page the user who requested the blocked page receives a block message and the DFL 500 NPG writes a message to the event log You can add banned words to the list in many languages using Western Simplified Chinese Traditional Chinese Japanese or Korean character sets This section describes e Configuring content filtering e Clearing the banned word list e Changing the content block message e Backing up and restoring the banned word list Configuring content filtering e Goto Web Filter gt Content Block e Select Enable Ban
78. ect The service that matches the traffic type inside the PPTP VPN tunnel For example if PPTP Service users can access a web server select HTTP Action ACCEPT NAT Select NAT if address translation is required You can also configure traffic shaping logging and web filter settings for PPTP policies For information about adding firewall policies see Adding NAT Route mode policies DFL 500 User Manual 68 L2TP VPN configuration L2TP clients must be able to authenticate with the DFL 500 NPG to start a L2TP session To support L2TP authentication you must add a user group to the DFL 500 NPG configuration This user group can contain users added to the DFL 500 NPG user database RADIUS servers or both After you have added a user group configure your DFL 500 NPG to support L2TP by enabling L2TP and specifying a L2TP address range The L2TP address range is the range of addresses that must be reserved for remote L2TP clients When a remote L2TP client connects to the internal network using L2TP the client computer is assigned an IP address from this range The L2TP address range can be on any subnet L2TP VPN between a Windows client and the DFL 500 NPG Internal Network 192 168 1 0 Main Office DFL 500 L2TP Gateway External IF 1 1 1 1 internet LTP y a E m Windows Client Ee Make sure that your ISP supports L2TP connections Add firewall policies with an external source address to control the access that L2T
79. ect to the DFL 500 VPN gateway Ee IPSec VPN is not supported in Transparent mode This chapter describes Interoperability with IPSec VPN products e Configuring AutolKE key IPSec VPN e Configuring manual key IPSec VPN e Configuring dialup VPN e Configuring a VPN concentrator for hub and spoke VPN e Configuring IPSec redundancy e Adding a remote gateway e Adding an AutolIKE key VPN tunnel e Adding a manual key VPN tunnel e Adding a VPN concentrator e Adding an encrypt policy e Viewing VPN tunnel status e Viewing dialup VPN connection status e Testing a VPN Interoperability with IPSec VPN products Because the DFL 500 NPG supports the IPSec industry standard for VPN you can configure a VPN between a DFL 500 NPG and any client or gateway firewall that supports IPSec VPN DFL 500 IPSec VPNs support e IPSec Internet Protocol Security standard e Automatic IKE based on pre shared key e Manual Keys that can be fully customized DFL 500 User Manual 48 ESP security in tunnel mode DES and 3DES TripleDES encryption Diffie Hellman groups 1 2 and 5 HMAC MD5 authentication data integrity or HMAC SHA1 authentication data integrity Aggressive and Main Mode NAT Traversal Replay Detection IPSec Redundancy Perfect Forward Secrecy VPN concentrator for hub and spoke configurations To successfully establish an IPSec VPN tunnel the DFL 500 IPSec VPN configuration must be compatible with the third party product I
80. ection attempt was received The first policy that matches is applied to the connection attempt If no policy matches the connection is dropped The default policy accepts all connection attempts from the internal network to the Internet From the internal network users can browse the web use POP3 to get email use FTP to download files through the firewall and so on If the default policy is at the top of the Int gt Ext policy list the firewall allows all connections from the internal network to the Internet because all connections match the default policy A policy that is an exception to the default policy for example a policy to block FTP connections must be placed above the default policy in the Int gt Ext policy list In this example all FTP connection attempts from the internal network would then match the FTP policy and be blocked Connection attempts for all other kinds of services would not match with the FTP policy but they would match with the default policy Therefore the firewall would still accept all other connections from the internal network DFL 500 User Manual 29 Policies that require authentication must be added to the policy list above matching policies that do not otherwise the policy that does not require authentication is selected first Changing the order of policies in a policy list e Go to Firewall gt Policy e Select the tab for the policy list that you want to rearrange e Choose a policy to mov
81. eeeeceeeeeeeseeeeeeeeeaeeeeaeeeeaeeeaaeeeseeeeeaeeesaeeeseeeeeaeeeeeeeseeeeeeeeetees 9 SETTING SIAN OC E E E nna 10 Package COn eNe rorsr asra anae E ca ehaned cunt caeadd cava ghanlengeldiat diana ound deeded ened 10 MOUNTING ecito nosica eaei SEEN eeete neti neces elie nd pends ete anne di reese v ee viet NE teers 10 Powering Olesno inr E e EE E OEA AEE EER EE E E T 11 Initial conngurahon ser a Ea EEA a EA 12 Connecting to the web based MANaQel cesceceseeeeeeeeneceeneceaaeceaaecesaeceaaeceaaeeeaeeeeaeeesaeeseaeeseaeeeeaeseaeessaeessas 12 Connecting to the command line interface CL eassensena 13 Next Steps sensasine a eavetec iit scundea da aaa a a Ea a Eea aA Ee deN Aae AAE celnace a E 14 NAT Route mode installation seessseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees 15 Preparing to configure NAT ROUtC MOCEC eeceeeeeeeeeceeeeceeeeeeeeesaeeeeaaeesaneeeaeeeseaeesaeeesaneeeaeeseeeeseeeeeneeeeeees 15 Using the Setup wizard saa ETE AES 16 Starting the SOtUP WMiI 16 Reconnecting to the web based Manager cceeceeeeeeeeneeceeeeeeeeeeneeceaeeeeaeeeeaeeceaeeaeeeeaeeseaeeeeaeeeeaeeeeeeesas 16 Using the command line interface 2 2 eee eeccesececeeeeeeeeeeeeeeeeeeeeeeeeeeneeseeeseeeseeeeceeeeseeeeesaeeseaeeseasenaeeeeaeessatecsas 16 Configuring the DFL 500 NPG to run in NAT Route mode eee eeeeeeeeeeeeeceeeeeeeeeeeseeeeeeeeeeeeaeseaaeennaeeaes 16 Connecting to your networks eeeeeceeseeeeneeeeseeeene
82. eeeeeeaeeceseeeeaeesaeeesaeessaees aaa aeeeeaeeeaaeeesaeeeeeeeseeeeeeeeeaees 92 CONPIQUIING routing sessa E AN 92 AGING roing GaleWAyS esasa Deedee teed cabees onde Peveecd ce ceedaeelds tevve adds desta eetvetactects 92 Adding a default route ee eeccceeeceeecceseeeeeeeeeeeeeeseneeseeeeseeeeseeeeseeeseeeeseneeseaaeseeeeseaeeseaeeceaeesaeeenaeeeeaeeseaeeesas 93 Adding routes to the routing table eecceececeeee esse eeeeeeeeeeeeeeeeeceeeeeeeeesaeecaeeseaeeaeeseaeeseaeeeeeeeeaeeseaeeesas 93 Configuring the routing table enres a aa R al ovegndee latesastiveldeereenescanee 94 Enabling RIP Server SUDDOST ceeeseeeteeeeneeeneeeenaecesaeeeaeeeeaaeseaaeseaeeeeaeeseaaeseaeeseaeeseaeeceaeeeeaeesaeeeeaeeseaeessas 94 Adding routes Transparent Moda sicir aiandi ianiai E ana aSa AERA A R 94 Providing DHCP services to your internal NetWork eccceeseeeeseeeeeeeeeeeeeeeeeeeeneeeeeeeaeeeeeeeseeeseeeeeeeeseeeeenees 95 DFL 500 User Manual System configuration 0 0 ee ees ceeseceeseceeseeeeaeeseaeeseaeeseaeeseaeessaeessaesseaesaaesaaesseaeesaaeseaaeseaaeseaeseaeeseaeeeeaeeenaeeeeas 96 Setting system date And time 200 eee ceeceeee cscs eeceeeeeeeeaeeeaaeeeeaeeeeaeeeaaeeeaaeeeaaeeeaaeeeaaeeeaeaesaaeeeaaeeeaeeeeeeeeeneeeeaees 97 Changing web based manager Options ccceeccesecceeeeeeeeeeeeeeeceeeeeeeeeeseeeeaeeesaeeeseeeesaeeseeseneeseeeeeeeeeenees 98 Adding and editing administrator ACCOUNHS cc ceeeceseeceseeceeeneeeeneeeeee
83. eeeeeeeeeenees 20 Configure the Transparent mode default gateway cceccceecceeeceeeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeseeeeseeeeeeeeeeaees 21 Setting the date and TME s cssscceeccceseedseectetcceyeccuveccubeceddeceheceenbenshvecsudecstyensutensavece edsevecentesdaventnes seved eheceeeneeeied 21 Connecting to your NeW esns E R be eer daeeens 21 DFL 500 User Manual 3 Firewall COMM ourat siiisiiscssenaresarerenincsscdddunnieorinendstsiemannnimassrrcecccaneennce 23 NAT Route mode and Transparent MOdE ccecceeceeseceeseeeeeeeeeeeeseeeeseeeeseeaeseaeeseeeeeeaeeseaeeseaeeeeaeeseaeeeaeeesas 24 NAT ROUtC MOG 1 eeeeceeecceeeeeeeseeesaeeeaaeeeaeeeeaaeeeaaenaeeeeaeensaeeseaeeeeaeeseaeeseaeesaeeseaeeaeeseaeeseaeesaeseaaeseaseneaeenes 24 TANS PANONL MODS enne ace cepcee sce ovecen tcued teeactlendeseaeeoees S 24 Changing to Transparent MOG eane a n eb cvte ten ete ves pete N A 24 Changing to NA Route MOdE ceeceececeeceeeeeeeeeeeeeeeeeaeeecaeecaeeeaaeeseaeeeeaeeeaaeessaeeesaeesaaeeeaeeseeeeseeeeeeeeeenees 24 Adding NAT Route mode policies esner aa Raas NASAN A 24 Adding Transparent mode policies 0 ceesceeseceeseceeneeeseeeeaeeeeaeeceaeeeeaeeeeaeeceaeeceaeeseaeeseaeeseaeeeeaeeeaaeeeaeeeeaeeess 27 Conng nng POLICY SiE senna R R aS 29 Policy matching moetaren a N 29 Changing the order of policies in a policy list 0 2 eee eee ceceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeesaeeeeeeeseeeeeeeeeeeeeenees 30 Enabling and disabling PONCE Ses
84. eeeeeeseeeeseeeeeaeseeeeseaeeeeaeeeeaeeeaeeesas 98 GOMPMQUIING SNMP csere E dicnaeheleties 99 GNSS AY Ae E E E E aN 101 a E E E 104 Technical SUPPONI ui sicecccvvvvrccccersstannsnnnsvnscnecssasadudiddasencnessssxtecensnsadnnencacaoussins 116 Limited Wan anty creespa arere ASEE 119 PAGE IASI iie pmo E el nena eeaReiaNs 122 DFL 500 User Manual 7 Introduction The DFL 500 Network Protection Gateway NPG is an easy to deploy and easy to administer solution that delivers exceptional value and performance for small office and home office SOHO applications Your DFL 500 is a dedicated easily managed security device that delivers a full suite of capabilities that include firewall VPN traffic shaping and web content filtering NAT Route mode and Transparent mode The DFL 500 can operate in NAT Route mode or Transparent mode NAT Route mode In NAT Route mode the DFL 500 is installed as a privacy barrier between the internal network and the Internet The firewall provides network address translation NAT to protect the internal private network You can control whether firewall policies run in NAT mode or route mode NAT mode policies route allowed connections between firewall interfaces performing network address translation to hide addresses on the protected internal networks Route mode policies route allowed connections between firewall interfaces without performing network address translation Transparent mode Transparent Mo
85. eeeeseeeeseeeeeeeeeeeees 51 Configuring IP S 6 TedUn dan sicciitcfaieds Sohatoh E E needed deieda 52 Adding a remote gateway escccesceceseceeneeceneeceaeeeeaeeeeaeeeeaeeeeaeessaeecaeeeaaeesaaeesaeeeeaaeesaaeesaeeeeaeessaeseaeseaeeeeaeeees 53 About dialup VPN authentication 0 0 2 ee cceeeceeeneseeceseeeeeeeeeseeeeseeaeeeeeeseeeseeesaeeeeeeeseaeeseaeeseaeeeeeeeeatessaeeesas 54 About DH Groups ive eeetciiens ea teint Rinne dina einstein steneineviee viertvieeevaylee dee etieveeees 56 About the Pi propOSals i 2 5 scccccacesdecceseds ctacsisacasdecss seep cecne cada sdhcd desch sects secptsacdeacpesvaedescpassarteststtansstideiadesed 56 JADOUTINAT MAVENS sa zac fecds E EEEa AAE syocepsaneseesgvededvededstedesd 57 Adding an AutolIKE key VPN tunnel ec i eeeeeeeeceeseeeesaeeeaeeeeaeeeeaeeceaeeceaeeeeaeeesaeeseaeescaeeeeaeeseaeeeeaeeeeaeeeaeeseaeeees 57 About the P2 proposals si 2 kaa cae ie neni 58 ADOUT TEplay detece snis iara 58 About perfect forward secrecy PFS eeceseceecececeeeeeeeeeeseeeeeeeeeeeeeseeeeeeeeseaeeeeeeeeaeeeeaeseeaeseeaeeeeeeseaeeeeas 59 Adding a manual key VPN tunnel eccceeesesesceeeseeeeeeeeeaeeeaaeeeaaeseaeeneaeeneaaeseaeeeeaeeneaeeseaeeseaeseeaeseaaeseaeeneaeenes 59 Adding a VPN CONCOMUALON is 2ececcadeccesszecvaceve dete ueysducetbucevhadevaleysdadevaucys icesvaleysdudynageevacdenaetysacsedisdvusedestezviedevas 60 Adding an encrypt POliCy sc scossone S NNNSNN 61 Viewing VPN TUNOLS WUS RRR RR
86. eeeneeeeaeeceaeeceaeeceaeeceaeeceaeesaeeceaeeseaesaeeeeaeeseaeseaeeseaeeeeaeeesas 17 Configuring your internal NEtWOFK eeceesseeeeeeeneeeeaeeesaeceaeeeeaeeeeaeeceaeeceaeeceaeeceaeeseaeeeeaeeeeaeseaaeseaeeeeaeeesaeeesas 18 Completing the configuration eee eee eeeeceeneeeeneeeeseeeeaeeeeaaeeeaeeeeaeeseaaeseaeeseaaeseaaeseaeeseaaeseaaeseeaeseeeseaeeseaeessateesas 18 Setting the date and ities iAi ics eheitia Siecle E S 18 Transparent mode installation 0 cccccccccssssseeeeeeeeeeeeeeeeeeeeeeeeeseesseeeeneeeeees 19 Preparing to configure Transparent MOE soesiisisisiesiiiiia ii 19 Using the setup WIZAIC eee eececeeceeeeeeeeeceeeceeeeeeeeteeeesaeeesaeessaeessaeessaeessaaessaaessuaeseaaeseaaeseaaeseaeseaeeeeeeeeeaeeenaeeeeas 19 Changing to Transparent MOE seresa EE E A AA N A 19 Starting the Setup Wizard wisi seteecstiessteeestenseciesdenesanedscdehsaciesdneedineesdnesstneednaeddiessinessibessinessubedioensteevdunenunes 20 Reconnecting to the web based Manager cceeceeeseeeneeceneeeeaeeeeaeeceaeeeeaeeeeaeeseaeeeaeseeaeeceaeeeeaeeeeaeeeeeeeeas 20 Using the command line interface 20 eecsecceseceeeeeeeeeeeeeeeeeeeeeeseeeeneeseeeeseeeseaeeseaeeseeeeseaeeseaeeseaeeeeeeeeaeeseaeessas 20 Changing to Transparent MOC cee cceeecceesseeeseeeeeeeeeaeeeesaeeeseeeeaeeeeaeeseaeeseaeeeeaeeseaeeseaeeseaeeseaeeseaeeeaeeeeaes 20 Configuring the Transparent mode management IP addresS eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeee
87. eeseeeesaeeesaeesaeeeesaeeesaeeseeeseneeseeeeseeeeeeneeteeeeeeees 72 Backing up and restoring the banned word liSt eccceeseceeeeeeeneeeeaeeesaeeeeaeeeaaeeeaaeeeeaeeeeaeeeeaeeeeaeeeeaeeeaeeees 72 Blocking access to URLS 0 eeeeeceesesseeseceeeeceeseesencessneeeseeeesaaessaaeesaaessaeeesaaesaaesaeeesaeseaeeseeeeeeeeeeeeeneeeeneeeeses 73 Gontiguring URI DOCK sises Ea E T E 73 Clearing the URL block list sscsncsesncrasinna a N 74 DFL 500 User Manual Changing the URL block message eee eeeceeeeeeeeeeeeeeeeeaeeeeaeesaeeesaeeeeaaeeeaeeesaeeesaeeeeaeeesaeeesaeeeeeeeeseneeeeeeeenees 74 Downloading the URL DOCK liSt ee eeceeeeceeneeeeneeeeaeeeeaeeeeaeeeeaeeceaeeeeaeeceaeeseaeeceaeeseaeeseaeeseaeeseaeeeaeeseaeeesas 74 Uploading a URE BOCK Stircisscdsuedeeacdtinntuate ten igtiatd bua dbaacebnigtiane agitate ines ae bed il ai haghheihacdadsceen ee 74 Removing scripts from WED Page ccecceeecceeeeeeeeeeeeeeeeesaeeesaeeeaeeeeaeeesaaeesaneesaneesaeeesaeeeseaeeeeaeeseneeeeeeeeeeeeenees 75 Exempting URLs from content or URL DIOCKING eeceeeceeeeeeeeeeeeeeeeeeeeeeeeeaneesaeeeeeeeesaneeseeeeeeeeeeeeeseeeeenees 75 Adding URLs to the Exempt URL List 0 0 0 eee eecceeeeeeeeceseneeseneeseneeeeeeesnaeseaeeseeeeseaeeseaeeseaeeeeaeeseaeeeaeeesas 76 Clearing the Exempt URL list eeceeecceseeceeeeeeenee cece aen eaaa aee EA EEEn EErEE EAEE EAEE EEA ENEE EREE 76 Downloading the Exempt URL list 0 2 eee eececeeeeeeeceeseeeee
88. encrypt policies that allow inbound and outbound VPN connections between each of the member VPNs The policy between the member VPN and the concentrator must be arranged in the policy list above the policies between member VPNs Each encrypt policy must include the same tunnel name To configure each member VPN e Add a remote gateway if you are adding AutolKE key tunnels See Adding a remote gateway e Add an AutolKE key VPN tunnel and include the remote gateway added in step 1 DFL 500 User Manual 51 See Adding an AutolIKE key VPN tunnel Or add a manual key VPN tunnel See Adding a manual key VPN tunnel e Add one encrypt policy between the member VPN and the VPN concentrator Use the following configuration Source Member VPN address Destination VPN concentrator address Action ENCRYPT VPN Tunnel The VPN tunnel added in step 2 Allow inbound Select allow inbound Allow outbound Select allow outbound Inbound NAT Select inbound NAT if required Outbound NAT Select outbound NAT if required See Adding an encrypt policy e Add additional encrypt policies between the member VPNs Use the following configuration Source Local member VPN address Destination Remote member VPN address Action ENCRYPT VPN Tunnel The VPN tunnel added in step 2 Allow inbound Select allow inbound Allow outbound Select allow outbound Inbound NAT Select inbound NAT if required Outbound NAT Select outbound NAT if required Configuring
89. ents for PPTP or L2TP e Add the addresses from the L2TP address range to the external interface address list The addresses can be grouped into an external address group e Add the addresses to which L2TP users can connect to the internal interface The addresses can be grouped into an address group e Add an Ext gt Int policy to allow L2TP clients to connect through the DFL 500 NPG Configure the policy as follows Source The address group that matches the L2TP address range Destination The address to which L2TP users can connect The service that matches the traffic type inside the L2TP VPN tunnel For example if L2TP Service users can access a web server select HTTP Action ACCEPT NAT Select NAT if address translation is required You can also configure traffic shaping logging and web filter settings for L2TP policies DFL 500 User Manual 70 Web content filtering Use DFL 500 web content filtering for e Enabling web content Filtering e Blocking web pages that contain unwanted content e Blocking access to URLs e Removing scripts from web pages e Exempting URLs from content or URL blocking Enabling web content Filtering Enable web content filtering by selecting the Web filter option in firewall policies that allow HTTP connections through the DFL 500 NPG Next configure web content filtering settings to control how the DFL 500 NPG applies web content filtering to the HTTP traffic allowed by policies To enabl
90. er space and a 0 zero to enable it and to indicate western language characters Select Restore Banned Word List to upload a banned word list to the DFL 500 NPG Enter the path and filename of your banned word list text file or select Browse and locate the file Select OK to upload the banned word list backup text file Select Return to display the restored banned word list Blocking access to URLs To block access to URLs enable URL blocking and then create a list of URLs to be blocked You can block all pages on a website by adding its top level URL or IP address Alternatively you can block individual pages on a website by including the the full path and filename of the web page to block When the DFL 500 NPG blocks a web page the user who requested the blocked page receives a block message and the DFL 500 NPG writes a message to the event log This section describes Configuring URL blocking Clearing the URL block list Changing the URL block message Downloading the URL block list Uploading a URL block list Configuring URL blocking To turn on URL blocking by enabling the URL block list Go to Web Filter gt URL Block Select Enable URL Block to turn on URL blocking The DFL 500 NPG now blocks web pages added to the URL block list Select New to add an entry to the URL block list Type the URL to block Enter a top level URL or IP address to block access to all pages on a website For example www badsite com or 122
91. er for the defective Hardware will be refunded by D Link upon return to D Link of the defective Hardware All Hardware or part thereof that is replaced by D Link or for which the purchase price is refunded shall become the property of D Link upon replacement or refund Limited Software Warranty D Link warrants that the software portion of the product Software will substantially conform to D Link s then current functional specifications for the Software as set forth in the applicable documentation from the date of original delivery of the Software for a period of ninety 90 days Warranty Period if the Software is properly installed on approved hardware and operated as contemplated in its documentation D Link further warrants that during the Warranty Period the magnetic media on which D Link delivers the Software will be free of physical defects D Link s sole obligation shall be to replace the non conforming Software or defective media with software that substantially conforms to D Link s functional specifications for the Software Except as otherwise agreed by D Link in writing the replacement Software is provided only to the original licensee and is subject to the terms and conditions of the license granted by D Link for the Software The Warranty Period shall extend for an additional ninety 90 days after any replacement Software is delivered If a material non conformance is incapable of correction or if D Link dete
92. etween interfaces The DFL 500 NPG applies policies to control network traffic without modifying the packets in any way Changing to Transparent mode Use the procedure Changing to Transparent mode to switch the DFL 500 NPG from NAT Route mode to Transparent mode Changing to Transparent mode deletes all NAT Route mode policies and addresses In addition any routing set in NAT mode is also deleted This includes the default route that is part of the default NAT configuration Changing to NAT Route mode Use the procedure Changing to NAT Route mode to switch the DFL 500 NPG from Transparent mode to NAT Route mode Changing to NAT Route mode deletes all Transparent mode policies and addresses In addition any routing set in NAT mode is also deleted This includes the default route that is part of the default NAT configuration Adding NAT Route mode policies Add NAT Route mode policies to control connections and traffic between DFL 500 interfaces If you have configured the DFL 500 NPG for NAT Route mode operation you can use the following procedure to add NAT Route mode policies e Go to Firewall gt Policy e Select the policy list tab to which you want to add the policy e Select New to add a new policy DFL 500 User Manual 24 You can also select Insert Policy before G on a policy in the list to add the new policy above a specific policy e Configure the policy Select an address or address group that matches the source address o
93. etwork and one or more clients has been configured correctly start a VPN client and use the ping command to connect to a computer on the internal network The VPN tunnel initializes automatically when the client makes a connection attempt You can start the tunnel and test it at the same time by pinging from the client to an address on the internal network DFL 500 User Manual 65 PPTP and L2TP VPNs Using PPTP and L2TP Virtual Private Networking VPN you can create a secure connection between a client computer running Microsoft Windows and your internal network PPTP is a Windows VPN standard You can use PPTP to connect computers running Windows to a DFL 500 NPG protected private network without using third party VPN client software L2TP combines Windows PPTP functionality with IPSec security L2TP is supported by most recent versions of Windows VPNs protect data passing through the secure tunnel by encrypting it to guarantee confidentiality In addition authentication guarantees that the data originated from the claimed sender and was not damaged or altered in transit When the client computer is connected to the VPN tunnel it seems to the user that the client computer is directly connected to the internal network Ee PPTP and L2TP VPNs are only supported in NAT Route mode This chapter describes e PPTP VPN configuration e L2TP VPN configuration PPTP VPN configuration PPTP clients must be able to authenticate with the DF
94. f the packet Before you Source can add this address to a policy you must add it to the source interface To add an address see Addresses Select an address or address group that matches the destination address of the packet Before you can add this address to a policy you must add it to the source interface To add an address Destination see Addresses For an Ext gt Int NAT mode policy the destination can also be a virtual IP that maps the destination address to a hidden destination address on the internal network See Virtual IPs Select a schedule that controls when the policy is available to be matched with connections See Schedule Schedules Service Select a service that matches the service or port number of the packet You can select from a wide range of predefined services or add custom services and service groups See Services Action Select how the firewall should respond when the policy matches a connection attempt ACCEPT Accept the connection If you select ACCEPT you can also configure NAT and Authentication for the policy DENY Deny the connection Make this policy an IPSec VPN policy If you select ENCRYPT you can select an AutolKE key or ENCRYPT Manual Key VPN tunnel for the policy and configure other IPSec settings For ENCRYPT policies service is set to ANY and authentication is not supported NAT Configure the policy for NAT NAT translates the source address and the source port of packets accepted by the policy
95. fault Route i92 1608 100 1 Exclasion Range Range 1 fu0z 168 100 5 192 108 100 10 Range 2 es Bange J eS E Range 4 Viewing the dynamic IP list If you have configured your DFL 500 NPG as a DHCP server you can view a list of IP addresses that the DHCP server has added their corresponding MAC addresses and the expiry time and date for these addresses The DFL 500 NPG adds these addresses to the dynamic IP MAC list and if IP MAC binding is enabled the addresses in the dynamic IP MAC list are added to the list of trusted IP MAC address pairs For more information about IP MAC binding see IP MAC binding To view the dynamic IP list e Goto System gt Network gt DHCP e Select Dynamic IP List The dynamic IP list appears Example Dynamic IP list J tiwertncs ons routing rie o Ip MAC Fxplre 12 169 2 20 p ti Sc Leda Suh Sep 22 Tes 2007 197 1662 2 1 OO S062 TRE 94 ob Sun Sap fe 19 45 19 2002 192 169 2 22 OO eti WPS Sica Gun Sap 22 19 51 08 2002 System configuration Go to System gt Config to make any of the following changes to the DFL 500 NPG system configuration DFL 500 User Manual 96 e Setting system date and time e Changing web based manager options e Adding and editing administrator accounts e Configuring SNMP Setting system date and time For effective scheduling and logging the DFL 500 NPG time should be accurate You can either manually set the DFL 500 NPG time or you can configure the DFL
96. fic log whenever the policy processes a connection Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection Select the user group to select the users that can Authentication authenticate with this policy To add and configure user groups see Users and authentication You must add user groups before you can select authentication You can select Authentication for anv service Users can authenticate with the firewall usina HTTP DFL 500 User Manual 25 Telnet or FTP For users to be able to authenticate you must add an HTTP Telnet or FTP policy that is configured for authentication When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password If you want users to authenticate to use other services for example POP3 or IMAP you can create a service group that includes the services for which you want to require authentication as well as HTTP Telnet and FTP Then users could authenticate with the policy using HTTP Telnet or FTP before using the other service In most cases you should make sure that users can use DNS through the firewall without authentication If DNS is not available users cannot connect to a web FTP or Telnet server using a domain name Enable web filter content filtering for traffic controlled by this policy You can select Web filter if Service is set to ANY or HTTP or
97. figuring alert email You can configure the DFL 500 NPG to send alert email to up to three email addresses You can enable sending alert emails for firewall or VPN events or violations This section describes e Configuring alert email e Testing alert email e Enabling alert email DFL 500 User Manual 79 Configuring alert email Go to System gt Network gt DNS If they have not already been added add the primary and secondary DNS server addresses provided to you by your ISP Because the DFL 500 NPG uses the SMTP server name to connect to the mail server it must be able to look up this name on your DNS server Select Apply Go to Log amp Report gt Alert Mail gt Configuration In the SMTP Server field enter the name of the SMTP server to which the DFL 500 NPG should send email The SMTP server can be located on any network connected to the DFL 500 NPG In the SMTP User field enter a valid email address in the format user domain com This address appears in the From heading of the alert email Enter up to 3 destination email addresses in the Email To fields These are the actual email addresses that the DFL 500 NPG sends alert emails to Select Apply to save the alert email settings Testing alert email You can test your alert email settings by sending a test email Go to Log amp Report gt Alert Mail gt Configuration Select Test to send test email messages from the DFL 500 NPG to the Email To addresses that yo
98. figuring policy lists e Addresses e Services e Schedules e Virtual IPs e IP pools e IP MAC binding DFL 500 User Manual 23 NAT Route mode and Transparent mode The first step in configuring firewall policies is to configure the mode for the firewall The firewall can run in NAT Route mode or Transparent mode NAT Route mode Run the DFL 500 NPG in NAT Route mode to protect a private network from a public network When the DFL 500 NPG is running in NAT Route mode you can connect a private network to the internal interface and a public network such as the Internet to the external interface Each of these networks must have a different subnet address You create policies to control how the firewall routes packets between interfaces and therefore between the networks connected to the interfaces In NAT Route mode you can create NAT mode policies and Route mode policies e NAT mode policies use network address translation to hide the addresses of a more secure network from users on a less secure network e Route mode policies control connections between networks without performing address translation Transparent mode Run the DFL 500 NPG in Transparent mode to provide firewall protection to a network with public addresses The DFL 500 NPG can be inserted into your network at any point without the need to make changes to your network or any of its components In Transparent mode you add policies to accept or deny connections b
99. figuring the routing table Enabling RIP server support Adding routes Transparent mode Providing DHCP services to your internal network System configuration Setting system date and time Changing web based manager options Adding and editing administrator accounts Configuring SNMP System status If you log into the web based manager using the admin administrator account you can go to System gt Status to make any of the following changes to the system settings Upgrading the DFL 500 NPG firmware Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT Route mode Restarting the DFL 500 NPG DFL 500 User Manual 81 e Shutting down the DFL 500 NPG If you log into the web based manager with any other administrator account you can go to System gt Status to view the system settings including e Displaying the DFL 500 NPG serial number All administrative users can also go to System gt Status gt Monitor and view system status e System status monitor Upgrading the DFL 500 NPG firmware D Link releases new versions of the DFL 500 NPG firmware periodically You can download the upgrade from D Link and use one of the following procedures to upgrade the firmware on your DFL 500 NPG e Upgrading the firmware using the web based manager e Upgrading the firmware from a TFTP server using the CLI Upgrading the firmware usi
100. for the administrator account The password must be at least 6 characters long and can contain numbers 0 9 and uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed e Optionally type a Trusted Host IP address and netmask for the location from which the administrator can log into the web based manager If you want the administrator to be able to access the DFL 500 NPG from any address set the trusted host to 0 0 0 0 and the wildcard mask to 255 255 255 255 To limit the administrator to only be able to access the DFL 500 NPG from a specific network set trusted host to the address of this network and set the wildcard mask to the netmask for this network For example to limit an administrator to accessing the DFL 500 NPG from your internal network set the trusted host to the address of your internal network for example 192 168 1 0 and set the wildcard mask to 255 255 255 0 e Set the Permission level for the administrator e Select OK to add the administrator account Editing administrator accounts The admin account user can change individual administrator account passwords configure the IP addresses from which administrators can access the web based manager and change the administrator permission levels Administrator account users with Read amp Write access can change their own administrator passwords Configuring SNMP Configure SNMP for the D
101. for the policy DFL 500 User Manual 61 The destination address is the IP address of the remote network behind the remote VPN gateway The destination address is the IP address of the remote network behind the remote VPN gateway If you are adding an encrypt policy for a VPN with a remote VPN client connected to the Internet the destination address should be the Internet address of the client computer e Go to Firewall gt Policy gt Int gt Ext e Select New to add a new policy Adding an encrypt policy moe r Polity Source Destination Schedule Sorvicn Action VPN Tummel M Allow imboured M Allow oukboured LocaLveN net E Remotea VP net Always ENCRYPT iuta E_turnel_1 M inbound MAT T Outbound MAT w Traffic Shaping r Log Trafic Guaranteed o Bandwidth Kbytes sech Maimam o te Bandwidth 0 Kbytes sech Traffic Priority High T Web filter a E e Set Source to the VPN source address e Set Destination to the VPN destination address e Set Action to ENCRYPT Service is set to ANY and cannot be changed e Configure the ENCRYPT parameters VPN Tunnel Select an AutolKE key or Manual Key tunnel For information about adding VPN tunnels see Adding an AutolIKE key VPN tunnel and Adding a manual key VPN tunnel Allow inbound Select Allow inbound to enable inbound users to connect to the source address DFL 500 User Manual 62 Allow Pa Select Allow
102. g configuring enabling cookies blocking CPU usage system status critical firewall events alert email critical VPN events alert email custom service customer service D date setting date and time setting example daylight saving time default gateway configuring Transparent mode default route destination policy option detection about replay detection DH group about DHCP external interface internal network internal network settings dialup VPN configuring 51 viewing connection status Diffie Hellman group IPSec VPN remote gateway disabling a policy DNS server addresses DNS IP DHCP configuration domain DFL 500 User Manual 105 DHCP dynamic IP list viewing dynamic IP MAC list E email alert testing enabling a policy encryption adding IPSec firewall policy algorithm encryption algorithm manual key IPSec VPN encryption key manual key IPSec VPN ending IP environmental specifications event log blocked page message exclusion range DHCP Exempt List adding URLs clearing downloading uploading expire system status external interface configuring configuring DHCP configuring PPPoE management access F factory default restoring system settings firewall authentication timeout overview policy mode security policy mode firewall events alert email firewall policy configuring L2TP configuring PPTP encrypt IPSec NAT Route mode Transparent mod
103. g gateways added using the procedure Adding routing gateways If you are adding a static route from the DFL 500 NPG to a single destination router only specify one gateway DFL 500 User Manual 93 e Select OK to save the new route Arrange routes in the routing table from more specific to more general To arrange routes in the routing table see Configuring the routing table Configuring the routing table As you add routes they appear on the routing table The routing table shows the source and destination addresses of each route as well as the gateways added to the route For each gateway the routing table displays the gateway connection status A green check mark indicates that the DFL 500 NPG can connect to the gateway a red X means that a connection cannot be established A blue question mark means that the connection status is unknown The DFL 500 NPG assigns routes by searching for a match starting at the top of the routing table and moving down until it finds the first match You must arrange routes in the routing table from more specific to more general The default route is the most general route If you add a default route it should be at the bottom of the routing table e Go to System gt Network gt Routing Table e Choose a route to move and select Move to change its order in the routing table e Type a number in the Move to field to specify where in the routing table to move the route and select OK e
104. g of any of these items might prevent some web pages from working properly e Goto Web Filter gt Script Filter e Select the filtering options that you want to enable You can block Java applets cookies and Activex e Select Apply to enable script filtering Exempting URLs from content or URL blocking Add URLs to the Exempt URL List to allow legitimate traffic that might otherwise be blocked by content or URL blocking For example if content blocking is set to block pornography related words and a reputable website runs a story on pornography web pages from the reputable website would be blocked Adding the address of the reputable website to the Exempt URL list allows the content of the website to bypass content blocking This section describes e Adding URLs to the Exempt URL List DFL 500 User Manual 75 Clearing the Exempt URL list Downloading the Exempt URL list Uploading an Exempt URL list Adding URLs to the Exempt URL List Go to Web Filter gt Exempt URL Select New to add an entry to the Exempt URL list Type the URL to exempt Enter a complete URL including path and filename to exempt access to a page on a website For example www goodsite com index html exempts access to the main page of this example website You can also add IP addresses for example 122 63 44 67 index html exempts access to the main web page at this address Do not include http in the URL to exempt Exempting a top level URL such as
105. ge It can indicate a subnetwork portion of a larger network in TCP IP Sometimes referred to as an Address Mask NTP Network Time Protocol Used to synchronize the time of a computer to an NTP server NTP provides accuracies to within tens of milliseconds across the Internet relative to Coordinated Universal Time UTC Packet A piece of a message transmitted over a packet switching network One of the key features of a packet is that it contains the destination address in addition to the data In IP networks packets are often called datagrams Ping Packet Internet Grouper A utility used to determine whether a specific IP address is accessible It works by sending a packet to the specified address and waiting for a reply POP3 Post Office Protocol A protocol used to transfer e mail from a mail server to a mail client across the Internet Most e mail clients use POP PPP Point to Point Protocol A TCP IP protocol that provides host to network and _ router to router connections PPTP Point to Point Tunneling Protocol A Windows based technology for creating VPNs PPTP is supported by Windows 98 2000 and XP To create a PPTP VPN your ISP s routers must support PPTP Port In TCP IP and UDP networks a port is an endpoint to a logical connection The port number identifies what type of port it is For example port 80 is used for HTTP traffic Protocol An agreed upon format for transmitting data between two devices The protoco
106. he DFL 500 NPG network settings e Configuring the internal interface e Configuring the external interface e Configuring the management interface Transparent mode e Setting DNS server addresses DFL 500 User Manual 87 Configuring the internal interface To configure the internal interface e Goto System gt Network gt Interface e For the internal interface select Modify r e Change the IP address and Netmask as required e Select the management Access methods for the internal interface HTTPS To allow secure HTTPS connections to the web based manager through the internal interface PING If you want the internal interface to respond to pings Use this setting to verify your installation and for testing SSH To allow secure SSH connections to the CLI through the internal interface To allow a remote SNMP manager to request SNMP information by connecting to the internal interface SNM pa See Configuring SNMP e Select OK to save your changes If you changed the IP address of the internal interface and you are connecting to the internal interface to manage the DFL 500 NPG you must reconnect to the web based manager using the new internal interface IP address Configuring the internal interface merce ESE ES Me Me Edit Interface Name fin oo IP 192 168 1 93 Netmask 255 255 255 0 Access If HTTPS F PING M SSH M SNMP Configuring the external interface Use the following procedures to c
107. he configurations required for the server and the clients are different for different dialup gateway configurations There are four possible dialup VPN authentication configurations Main mode with no user group selected Main mode with a user group selected Aggressive mode with no user group Aggressive mode with a user group selected DFL 500 User Manual 54 For each variation the remote gateway field of the dialup server remote gateway configuration must be set to dialup user and all of the clients must have their remote gateway or equivalent set to the static IP address of the remote gateway server The following sections describe how to configure authentication on the server and clients for each of these variations ad A dialup user must use the same mode as the VPN dialup server Ee For information about user groups see Configuring user groups Main mode with no user group selected In this configuration the server and the clients use main mode for key exchange A user group has not been added to the server dialup remote gateway Clients authenticate with the server using their authentication keys Main mode without user group Field Server ie ms Mode Main ID Protection Main ID Protection Authentication Key The server and the clients must have the same authentication key LocalID Jempy Jempy Main mode with a user group selected In this configuration the server and the clients use main mode for
108. hree different encryption and authentication algorithm combinations Choosing more combinations might make it easier for P1 negotiation but you can restrict the choice to one if required For negotiation to be successful both ends of the VPN tunnel must have at least one encryption algorithm and one authentication algorithm in common e Select DES to propose to encrypt packets using DES encryption e Select 3DES to propose to encrypt packets using triple DES encryption e Select MD5 to propose to use MD5 authentication e Select SHA1 to propose to use SHA1 authentication DFL 500 User Manual 56 About NAT traversal NAT Network Address Translation converts private IP addresses into routable public IP addresses The DFL 500 NPG uses NAPT Network Address Port Translation in which both IP addresses and ports are mapped Mapping both components allows multiple private IP addresses to use a single public IP address Because a NAT device modifies the original IP address of an IPSec packet the packet fails an integrity check This failure means that IPSec VPN does not work with NAT devices NAT traversal solves this problem by encapsulating the IPSec packet within a UDP packet Encapsulating the IPSec packet allows NAT to process the packet without changing the original IPSec packet Both ends of a gateway must have the same NAT traversal setting Each end can have different keepalive frequencies Adding an AutolKE key VPN tunnel Add an Au
109. ies and addresses In addition any routing set in Transparent mode is also deleted This includes the default route that is part of the default Transparent mode configuration e Goto System gt Status e Select Change to NAT Mode e Select NAT Route in the operation mode list e Select OK DFL 500 User Manual 85 The DFL 500 NPG changes operation mode e To reconnect to the web based manager browse to the interface that you have configured for management access using https followed by the IP address of the interface Restarting the DFL 500 NPG Use the following procedure to restart the DFL 500 NPG e Goto System gt Status e Select Restart The DFL 500 NPG restarts Shutting down the DFL 500 NPG Use the following procedure to shut down the DFL 500 NPG e Goto System gt Status e Select Shutdown The DFL 500 NPG shuts down and all traffic flow stops The DFL 500 NPG can only be restarted after shutdown by disconnecting and reconnecting the power System status monitor You can use the system status monitor to view system activity including the number of active communication sessions and information about each session The system status monitor also displays DFL 500 NPG CPU usage memory usage and system up time statistics To view system status e Goto System gt Status gt Monitor The system status monitor appears e To page through the list of connections select Page Up E and Page Down BA e Select
110. ion to the ping target Set Fail over Detection to the number of times that the connection test fails before the DFL 500 NPG assumes that the gateway is no longer functioning Select OK to save the routing gateway Repeat this procedure to add all the routing gateways that you require Adding a default route Use the following procedure to add a default route for network traffic leaving the external interface Go to System gt Network gt Routing Table Select New to add a new route Set the Source IP and Netmask to 0 0 0 0 Set the Destination IP and Netmask to 0 0 0 0 Set Gateway 1 to the IP address of the routing gateway that routes traffic to the Internet Se If you are adding a default route source and destination IPs and netmasks set to 0 0 0 0 you do not have to use the procedure Adding routing gateways to add this routing gateway Select OK to save the default route Adding routes to the routing table When you have added routing gateways you can use the following procedure to add routes to them Add routes to determine the path that data follows from the DFL 500 NPG to routing gateways and other networks Go to System gt Network gt Routing Table Select New to add a new route Type the Source IP address and Netmask for the route Type the Destination IP address and Netmask for the route Add the IP addresses of up to four gateways The IP addresses that you add must match the IP addresses of the routin
111. key exchange A user group has been selected in the server dialup remote gateway Clients authenticate with the server using their authentication keys The client authentication key can be one of the following e The same as the server authentication key e A username and password in the user group added to the dialup server remote gateway In this configuration the clients pre shared key must be formatted with a between the user name and password username password Main mode with a user group selected Field Server Client configuration 1 Client configuration 2 User Group Select a user group N A N A Mode Main ID Protection Main ID Protection Main ID Protection Authentication Key Server authentication key Server authentication key username password Local ID empty empty empty Aggressive mode with no user group In this configuration the server and the clients use aggressive mode for key exchange A user group has not been selected in the server dialup remote gateway Clients authenticate with the server using their authentication keys DFL 500 User Manual 55 Aggressive mode with no user group Field Server Clients User Group None N A Mode Aggressive Aggressive Authentication Key The server and the clients must have the same authentication key Local ID empty empty Aggressive mode with a user group selected In this configuration the server and the clients use aggressive
112. l determines the type of error checking to be used the data compression method if any how the sending device indicates that it has finished sending a message and how the receiving device indicates that it has received a message RADIUS Remote Authentication Dial In User Service An authentication and accounting system used by many Internet Service Providers ISPs When users dial into an ISP they enter a user name and password This information is passed to a RADIUS server which checks that the information is correct and then authorizes access to the ISP system Router A device that connects LANs into an internal network and routes traffic between them Routing The process of determining a path to use to send data to its destination Routing table A list of valid paths through which data can be transmitted Server An application that answers requests from other devices clients Used as a generic term for any device that provides services to the rest of the network such as printing high capacity storage and network access SMTP Simple Mail Transfer Protocol In TCP IP networks this is an application for providing mail delivery services SNMP Simple Network Management Protocol A set of protocols for managing networks SNMP works by sending messages to different parts of a network SNMP compliant devices called agents store data about themselves in Management Information Bases MIBs and return this data to the SNMP reques
113. layed in the IP address and Netmask fields DFL 500 User Manual 89 Configuring the external interface merce ESE ERR Me Me Edit Interface 00 Baine fexts rial Addressing mode Manual DHCP amp PPPOE 1p 192 168 100 999 Netmask 255 255 2550 Access IY HTTPS i PING l SSH SNMP mT iso oOo bytes Fragment outgoing packets greater than MTU Configuring the external interface for PPPoE Use the following procedure to configure the external interface to use PPPoE This configuration is required if your ISP uses PPPoE to assign the IP address of the external interface e Goto System gt Network gt Interface e For the external interface select Modify e Set Addressing mode to PPPoE and select OK to change to PPPoE mode e Enter your PPPoE account User Name and Password e Select OK The DFL 500 NPG attempts to contact the PPPoE server to set the external IP address netmask and default gateway IP address When the DFL 500 NPG gets this information from the PPPoE server the new addresses and netmask are displayed in the external IP address netmask and default gateway IP address fields If the PPPoE connection with your ISP is dropped the DFL 500 NPG automatically attempts to re establish the connection e Select Enable Connect to PPPoE server if you want the DFL 500 NPG to automatically connect to a PPPoE server when it starts up Controlling management access to the external inte
114. le to enable IP MAC binding for the IP MAC pair e Select OK to save the IP MAC binding pair DFL 500 User Manual 41 Viewing the dynamic IP MAC list Go to Firewall gt IP MAC Binding gt Dynamic IP MAC Enabling IP MAC binding Go to Firewall gt IP MAC Binding gt Setting Select Enable IP MAC binding going through the firewall to turn on IP MAC binding for packets that could be matched by policies Select Enable IP MAC binding going to the firewall to turn on IP MAC binding for packets connecting to the firewall Configure how IP MAC binding handles packets with IP and MAC addresses that are not defined in the IP MAC list Select Allow traffic to allow all packets with IP and MAC address pairs that are not added to the IP MAC list Select Block traffic to block packets with IP and MAC address pairs that are not added to the IP MAC binding list Select Apply to save your changes IP MAC settings SEMEL state Nac Dynamic 1P ac DFL 500 User Manual i Enable IF M4c bending going through the firewall ih Enable IRMAT bending going to the firewall For hosts not defined in table allow traffic Block traffic 42 Users and authentication DFL 500 NPGs support user authentication to the DFL 500 user database or to a RADIUS server You can add user names to the DFL 500 user database and then add a password to allow the user to authenticate using the internal database You can also add the na
115. lly becomes the Local ID For information about the Local ID see About dialup VPN authentication Select Enable if you expect the IPSec VPN traffic to go through a gateway that performs NAT Nat traversal If no NAT device is detected enabling NAT traversal will have no effect Both ends of the gateway must have the same NAT traversal setting See About NAT traversal If you enable NAT traversal you can change the number of seconds in the Keepalive Keepalive Frequency field This number specifies in seconds how frequently empty UDP packets are Frequency sent through the NAT device to ensure that the NAT mapping does not change until P1 and P2 keylife expires The keepalive frequency can be from 0 to 900 seconds Select OK to save the remote gateway Adding a remote gateway Dialup User selected eer o Err Gateva Mime Diatup_ 1l Remote Dap User a Gateway a aa User Group Hane Mede Aggera ban 1D Protection P1 Preposal L Encrypton ES Authentication SHAt 2 Encryntion S0E5 Authentication MDS i DH rimp i ar sH Eeylife zaan Seconds Suthenticationc ee Pre shared Key Local 1 Optional Peor ID iphona Nat trawertal T Enable Keepolve i i Frequancy Seconds ae ae About dialup VPN authentication For dialup VPN authentication to work you must create compatible configurations on the DFL 500 NPG that is the dialup server and its dialup clients T
116. me of a RADIUS server and select RADIUS to allow the user to authenticate using the selected RADIUS server You can also disable users so that they cannot authenticate with the DFL 500 NPG To enable authentication you must add user names to one or more user groups You can also add RADIUS servers to user groups You can then select a user group when you require authentication You can require authentication for e any firewall policy with Action set to ACCEPT see Adding NAT Route mode policies and Adding NAT Route mode policies e IPSec dialup remote gateways see Adding a remote gateway e PPTP see PPTP VPN configuration e L2TP see L2TP VPN configuration When a user enters a user name and password the DFL 500 NPG searches the internal user database for a matching user name If Disable is selected for that user name the user cannot authenticate and the connection is dropped If Password is selected for that user and the password matches the connection is allowed If the password does not match the connection is dropped If RADIUS is selected and RADIUS support is configured and the user name and password match a user name and password on the RADIUS server the connection is allowed If the user name and password do not match a user name and password on the RADIUS server the connection is dropped This chapter describes e Setting authentication time out e Adding user names and configuring authentication e Configuring RADIUS support
117. mode for key exchange A user group is selected in the server dialup remote gateway The format of the authentication key depends on the information in the Local ID field Aggressive mode with a user group selected Client Client f ee Field Server configuration 1 configuration 2 Client configuration 3 Select a user WA Na na group Mode Aggressive Aggressive Aggressive Aggressive ee Client s password This password Authentication Server Server Server Key authentication key authentication key authentication key eile tothe serveruser F Client domain Other information in a different L ocal ID empty Client IP address namie format User Group About DH groups The Diffie Hellman DH algorithm creates a shared secret key that can be created at both ends of the VPN tunnel without communicating the key across the Internet You can select from DH group 1 2 and 5 DH group 5 produces the most secure shared secret key and DH group 1 produces the least secure key However DH group 1 is faster that DH group 5 About the P1 proposal AutolKE key IPSec VPNs use a two phase process for creating a VPN tunnel During the first phase P1 the VPN gateways at each end of the tunnel negotiate to select a common algorithm for encryption and another one for authentication When you configure the remote gateway P1 proposal you are selecting the algorithms that the DFL 500 NPG proposes during phase 1 negotiation You can select up to t
118. mote gateways the mode at both ends of the gateway must be the same Select up to three encryption and authentication algorithm combinations to propose for phase P1 Proposal 1 Two are selected by default To decrease the number of combinations selected select the minus sign To increase the number of combinations selected select the plus sign See About the P1 proposal DH Group Select one or more Diffie Hellman groups to propose for Phase 1 of the IPSec VPN connection You can select DH group 1 2 and 5 See About DH groups Specify the keylife for Phase 1 The keylife is the amount of time in seconds before the phase Keylife 1 encryption key expires When the key expires a new key is generated without interrupting service P1 proposal keylife can be from 120 to 172 800 seconds Enter an authentication key The key can contain any characters and must be at least 6 Authentication characters in length The pre shared key must be the same on the server and on the remote Pre shared Key VPN gateway or client and should only be known by network administrators For information about the pre shared key see About dialup VPN authentication Local ID Optionallv enter a local ID if vou set Remote Gatewav to Dialup user and select Aaaressive DFL 500 User Manual 53 Mode Enter the IP address of the dialup user or the domain name of the dialup user for example domain com If you do not add a local ID the DFL 500 external interface automatica
119. nd activity events You can also use Log amp Report to configure the DFL 500 NPG to send alert emails for e Critical firewall or VPN events or violations also recorded by the event log This chapter describes e Configuring Logging e Configuring alert email Configuring Logging You can configure logging to record logs to one or more of the following locations e a computer running a syslog server e a computer running a WebTrends firewall reporting server You can also configure the kind of information that is logged This chapter describes e Recording logs on a remote computer e Recording logs on a WebTrends server e Selecting what to log Recording logs on a remote computer Use the following procedure to configure the DFL 500 NPG to record logs onto a remote computer The remote computer must be configured with a syslog server e Goto Log amp Report gt Log setting e Select Log to Remote Host to send the logs to a syslog server e Add the IP address of the computer running syslog server software e Select Apply to save your log settings Recording logs on a WebTrends server Use the following procedure to configure the DFL 500 NPG to record logs onto a remote WebTrends firewall reporting server for storage and analysis DFL 500 log formats comply with WebTrends Enhanced Log Format WELF and are compatible with WebTrends Firewall Suite 4 1 Refer to the WebTrends Firewall Suite documentation for more information To rec
120. ned Word to turn on content blocking DFL 500 User Manual 7 The DFL 500 NPG is now configured to block web pages containing words and phrases added to the banned word list e Select New to add a word or phrase to the banned word list e Choose a language or character set for the banned word or phrase You can choose Western Chinese Simplified Chinese Traditional Japanese or Korean Your computer and web browser must be configured to enter characters in the character set that you choose e Type a banned word or phrase If you type a single word for example banned the DFL 500 NPG blocks all web pages that contain that word If you type a phrase for example banned phrase the DFL 500 NPG blocks web pages that contain both words When this phrase appears on the banned word list the DFL 500 NPG inserts plus signs in place of spaces for example banned phrase If you type a phrase in quotes for example banned word the DFL 500 NPG blocks all web pages in which the words are found together as a phrase Content filtering is not case sensitive You cannot include special characters in banned words e Select OK The word or phrase is added to the banned word list e Inthe Modify column check the box beside the new entry in the banned word list so that the DFL 500 NPG blocks web pages containing this word or phrase You can enter multiple banned words or phrases and then select Check All to activate all entries in
121. neeeeaeeceneeeeaeeseaeeceaeeseaesssaeeeaeeseaesaeseeaeeeaaeseaeeseaeeesaeeesas 45 Adding RADIUS S6rvers isc iccc c cccecee sects teedessceetseecnseneeseeeeseecesteestoeeeseeesFievebaed yeveviev NN EN 45 Deleting RADIUS Servers mirei cctaicta ates tacks Soda sah Sas Sodan eae dean ae coven dere clgheeten ty eee cee Reed 45 DFL 500 User Manual Configuring USEF QrOUPS eeeeeseceseeceseeeeaeeeeaeceaaeseaaeeseaeceaaeseaaeseaaeseaeeeeaeeseaaesaeesaeceaeeseaeseaeeenaeesnaeeenaeeesas 46 Adang Usor group Seesen E EN EN 46 peeing User groups eenen E R E 47 IPSC TINGS auiiseiilanenanashsnuctinsaaceiuppitaattanticansaaaianbanesbindsskssasestinceesnianasiadian EE 48 Interoperability with IPSec VPN products sssessaaseeeneennesneennennuetnaenuennaetnnntnentnntnacnnuntacteusenacnantenenneen nennen 48 Configuring AutolKE koy IPSEC VPN uosis anea E E edd calvecden ddeeadeeeas 49 Configuring manual key IPSec VPN eeceeeeeeneeceneeeeeeeeeneeeaaeeseaeeseaeseaaeseaaeseaaeseaeeeeaeeesaeeseaeeseaeseeaeenaeessaeersas 50 Configuring dialup VPN cnnseinsensnsnen n E ENS 50 Configuring a VPN concentrator for hub and spoke VPN sasessssssssssessresnnssressneinnernneinesrnesnnernesenesrnenenenneeenes 50 Configuring the VPN concentrator ee ceeeceeececeeeceeeeeeeeeeceseeceaeeeeaeeceaeeseaeeeeaeessaeeeeaeeseaeeeseeeseeeeeeeteneeeeaees 51 Configuring the member VPNS cceceeeeceeeeeeeeeeeeeeeeeeaeeeeaeeeeaeeeaaeesaaeeeaaeeeaaeeesaeesaeeesaeee
122. ng the web based manager e Goto System gt Status e Select Firmware Upgrade 1l e Enter the path and filename of the firmware update file or select Browse and locate the file e Select OK to upload the firmware update file to the DFL 500 NPG The DFL 500 NPG uploads the file and restarts running the new version of the firmware e Reconnect to the web based manager e Goto System gt Status and check the Firmware Version to confirm that the updated firmware has been installed successfully Upgrading the firmware from a TFTP server using the CLI To use this procedure you must install a TFTP server and be able to connect to this server from the internal interface The TFTP server should be on the same subnet as the internal interface Installing new firmware using the CLI deletes all changes that you have made to the configuration and reverts the system to its default configuration including resetting interface addresses To keep your current Se settings before installing new firmware download your configuration file see Backing up system settings and your web content and URL filtering lists see Backing up and restoring the banned word list Downloading the URL block list and Downloading the Exempt URL list Upgrading the firmware To install a firmware upgrade using the CLI e Connect to the CLI e Make sure that the TFTP server is running e Copy the new firmware image file to the root directory of your TFTP server e Make s
123. oing through the firewall e Go to Firewall gt IP MAC Binding gt Static IP MAC e Select New to add IP MAC binding pairs to the IP MAC binding list DFL 500 User Manual 40 All packets that would normally be matched with policies to be able to go through the firewall are first compared with the entries in the IP MAC binding list If a match is found then the firewall attempts to match the packet with a policy For example if the IP MAC pair IP 1 1 1 1 and 12 34 56 78 90 ab cd is added to the IP MAC binding list e A packet with IP address 1 1 1 1 and MAC address 12 34 56 78 90 ab cd is allowed to go on to be matched with a firewall policy e A packet with IP 1 1 1 1 but with a different MAC address is dropped immediately to prevent IP spoofing e A packet with a different IP address but with a MAC address of 12 34 56 78 90 ab cd is dropped immediately to prevent IP spoofing e A packet with both the IP address and MAC address not defined in the IP MAC binding table e is allowed to go on to be matched with a firewall policy if IP MAC binding is set to Allow traffic e is blocked if IP MAC binding is set to Block traffic Configuring IP MAC binding for packets going to the firewall Use the following procedure to use IP MAC binding to filter packets that would normally connect with the firewall for example when an administrator is connecting to the DFL 500 NPG for management e Go to Firewall gt IP MAC Binding gt Setting
124. on against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with this user s guide may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense CE Mark Warning This is a Class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures DFL 500 User Manual 121 Registration Register the D Link DFL 500 Office Firewall online at http www dlink com sales reg DFL 500 User Manual 122
125. onfigure the external interface e Configuring the external interface with a static IP address e Configuring the external interface for DHCP e Configuring the external interface for PPPoE DFL 500 User Manual 88 e Controlling management access to the external interface e Changing the external interface MTU size to improve network performance Configuring the external interface with a static IP address e Goto System gt Network gt Interface e For the external interface select Modify 2 e Set Addressing mode to Manual e Change the IP address and Netmask as required e Select OK to save your changes Configuring the external interface for DHCP Use the following procedure to configure the external interface to use DHCP This configuration is required if your ISP uses DHCP to assign the IP address of the external interface e Goto System gt Network gt Interface e For the external interface select Modify 2 e Set Addressing mode to DHCP and select OK to change to DHCP mode Both the IP address and Netmask change to 0 0 0 0 e Select Enable Connect to DHCP server if you want the DFL 500 NPG to automatically connect to a DHCP server when it starts up e Select OK The DFL 500 NPG attempts to contact a DHCP server from the external interface to set the external IP address netmask and default gateway IP address When the DFL 500 NPG gets this information from the DHCP server the new addresses and netmask are disp
126. ord logs on a WebTrends server e Goto Log amp Report gt Log setting e Select Log in WebTrends Enhanced Log Format e Add the IP address of the WebTrends firewall reporting server e Select Apply to save your log settings DFL 500 User Manual 78 Example log settings Log Setting M Log to Remote Host IP F Login WebTrends Enhanced Log Format 192 168 2 30 TP F Log All Internal Traffic To Firewall Log All External Traffic Ta Firewall E bog All Events Selecting what to log Use the following procedure to configure the type of information recorded in DFL 500 logs e Goto Log amp Report gt Log setting e Select Log All Internal Traffic To Firewall to record all connections to the internal interface This setting is not available in Transparent mode e Select Log All External Traffic To Firewall to record all connections to the external interface This setting is not available in Transparent mode ee When the DFL 500 NPG is running in Transparent mode you can select Log All Events Se Traffic logs are also recorded when you select Log Traffic for a firewall policy e Select Log All Events to record management and activity events in the event log Management events include changes to the system configuration as well as administrator and user logins and logouts Activity events include system activities such as VPN tunnel establishment web content blocking and so on e Select Apply to save your log settings Con
127. ork The destination of this policy must be the address of the network behind the remote DFL 500 NPG gateway The policy must also include the VPN tunnel that you created to communicate with the remote DFL 500 NPG VPN gateway When users on your internal network attempt to connect to the internal network behind the remote DFL 500 NPG gateway the encrypt policy intercepts the connection attempt and starts the VPN tunnel added to the policy The tunnel uses the remote gateway added to its configuration to connect to the remote DFL 500 NPG VPN gateway and the DFL 500 NPGs use their remote gateway and VPN tunnel configurations to establish a VPN tunnel between them Using encrypt policies you can control e the direction of traffic flow through the VPN e the addresses that can connect to the VPN tunnel The source and destination addresses that you specify when you add an encrypt policy identify the computers or networks that can connect using the VPN Users connecting from either the source or destination address will be able to connect to the other address securely using VPN The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway To add an encrypt policy e Add the source address for the policy The source address is an IP address on your internal network that can connect to the VPN For information about adding addresses see Adding addresses e Add the destination address
128. outbound to enable outbound users to connect to the destination address outbound Inbound The DFL 500 NPG translates the source address of incoming packets to the IP address of the NAT DFL 500 interface connected to the source address network Outbound The DFL 500 NPG translates the source address of outgoing packets to the IP address of the NAT DFL 500 interface connected to the destination address network Use the information in Adding NAT Route mode policies to configure the remaining policy settings e Select OK to save the encrypt policy e To make sure that the encrypt policy is matched for VPN connections arrange the encrypt policy above other policies with similar source and destination addresses in the policy list Viewing VPN tunnel status You can use the IPSec VPN tunnel list to view the status of all IPSec AutolIKE key VPN tunnels For each tunnel the list shows the status of each tunnel as well as the tunnel time out To view VPN tunnel status e Goto VPN gt IPSEC gt AutolKE Key The Status column displays the status of each tunnel If Status is Up the tunnel is active If Status is Down the tunnel is not active The Timeout column displays the time before the next key exchange The time is calculated by subtracting the time elapsed since the last key exchange from the keylife DFL 500 User Manual 63 AutolKE key tunnel status weet ove Policy Source Local_VPN_net Destination Remobe_VPN_net
129. pment has power Internal External Front Flashing Green Network activity at this interface Off No link established Green The correct cable is in use and the connected equipment has power Internal External Back Flashing Amber Network activity at this interface Off No link established DFL 500 User Manual 11 Front and back view of the DFL 500 NPG EEE SCH lien onal be el HH biman ite le Initial configuration When the DFL 500 NPG is first powered on it is running in NAT Route mode and has the basic configuration listed in DFL 500 NPG initial power on settings DFL 500 NPG initial power on settings Operating mode NAT Route User name admin Administrator account Password none Internal interface 1392 1689 199 Netmask 255 255 255 0 192 168 100 99 Netmask 255 255 255 0 External interface Manual Default Gateway 192 168 100 1 Primary DNS Server 207 194 200 1 Secondary DNS Server 207 194 200 129 Connecting to the web based manager The web based manager is the primary tool for installing and configuring your DFL 500 NPG Configuration changes made with the web based manager are effective immediately without the need to reset the firewall or interrupt service To connect to the web based manager you need a computer with an ethernet connection Internet Explorer version 4 0 or higher a crossover cable or an ethernet hub and two ethernet cables To connect
130. policy list is described in Configuring policy lists DFL 500 User Manual 28 Adding a Transparent mode Int gt Ext policy Yeri Dodicy Source interra ai El Destination Externalal E Schedule aens Sf Garvie me H Action OCET Ga FE dathertication Weer Group i F Log Traffic F vies filter shite satinga DE au Configuring policy lists The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match You must arrange policies in the policy list from more specific to more general For example the default policy is a very general policy because it matches all connection attempts To create exceptions to this policy they must be added to the policy list above the default policy No policy below the default policy will ever be matched This section describes e Policy matching in detail e Changing the order of policies in a policy list e Enabling and disabling policies Policy matching in detail When the firewall receives a connection attempt at an interface it must match the connection attempt to a policy in either the Int gt Ext or Ext gt Int policy list The firewall starts at the top of the policy list for the interface that received the connection attempt and searches down the list for the first policy that matches the connection attempt source and destination addresses service port and time and date at which the conn
131. ppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed e To add addresses to the address group select an address from the Available Addresses list and select the right arrow to add it to the Members list e Toremove addresses from the address group select an address from the Members list and select the left arrow to remove it from the group e Select OK to add the address group Services Use services to control the types of communication accepted or denied by the firewall You can add any of the predefined services to a policy You can also create your own custom services and add services to service groups This section describes DFL 500 User Manual 30 e Predefined services e Providing access to custom services e Grouping services Predefined services To view the list of predefined services go to Firewall gt Service gt Pre defined You can add predefined services to any policy Providing access to custom services Add a custom service if you need to create a policy for a service that is not in the predefined service list e Go to Firewall gt Service gt Custom e Select New e Enter a Name for the service This name appears in the service list used when you add a policy The name can contain numbers 0 9 uppercase and lower case letters A Z a z and the special characters and _ Other special characters and spaces are not allowe
132. pted Virus A computer program that attaches itself to other programs spreading itself through computers or networks by this mechanism usually with harmful intent Worm A program or algorithm that replicates itself over a computer network usually through email and performs malicious actions such as using up the computer s resources and possibly shutting the system down DFL 500 User Manual 103 Index A action policy option Activex removing from web pages address adding editing group IP MAC binding virtual IP address group example address name admin administrator account administrator account adding admin editing netmask trusted host aggressive mode remote gateway alert email configuring critical firewall or VPN events allow traffic IP MAC binding authentication policy option timeout authentication key IPSec VPN remote gateway manual key VPN tunnel AutolKE key adding VPN remote gateway adding VPN tunnel VPN configuring VPN tunnel backing up system settings banned word list backing up clearing restoring blacklist URL block message changing block traffic IP MAC binding DFL 500 User Manual 104 Cc clear communication sessions CLI configuring IP addresses connecting to concentrator adding VPN hub and spoke configuration hub and spoke VPN connecting to your network web based manager contact information SNMP content blocking content filterin
133. r the tunnel the IP address of the VPN gateway or client at the opposite end of the tunnel and the encryption algorithm to use for the tunnel Depending on the encryption algorithm you must also specify the encryption keys and optionally the authentication keys used by the tunnel Because the keys are created when you configure the tunnel no negotiation is required for the VPN tunnel to start However the VPN gateway or client that connects to this tunnel must use the same encryption algorithm and must have the same encryption and authentication keys To create a manual key VPN tunnel e Goto VPN gt IPSEC gt Manual Key e Select New to add a new manual key VPN tunnel e Configure the VPN tunnel Enter a name for the tunnel The name can contain numbers 0 9 uppercase and lowercase VPN Tunnel Name letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Security Parameter Index Enter a hexadecimal number of up to eight digits numbers 0 9 Local SPI and or letters a f The hexadecimal number must be added to the Remote SPI at the opposite end of the tunnel The Local SPI value must be greater than bb8 Enter a hexadecimal number of up to eight digits The hexadecimal number must be added to Remote SPI the Local SPI at the opposite end of the tunnel The Remote SPI value must be greater than bb8 Remote Enter the external IP address of the DFL 500 NPG or other IPSec ga
134. rface Use the following procedure to control management access to the DFL 500 NPG through the external interface You can configure the DFL 500 NPG so that you can access the web based manager and CLI by connecting to the external interface You can also control whether a remote SNMP manager can connect to the external interface to download management information from the DFL 500 NPG Go to System gt Network gt Interface DFL 500 User Manual 90 e For the external interface select Modify 2 e Select the management Access methods for the external interface HTTPS To allow secure HTTPS connections to the web based manager through the external interface PING If you want the external interface to respond to pings Use this setting to verify your installation and for testing SSH To allow secure SSH connections to the CLI through the external interface To allow a remote SNMP manager to request SNMP information by connecting to the external interface SNMP sae See Configuring SNMP Selecting HTTPS for the external interface allows remote administration of the DFL 500 NPG using the web based manager from any location on the Internet Selecting SSH for the external interface allows remote administration of the DFL 500 NPG using the CLI from any location on the Internet Selecting SNMP for the external interface allows remote SNMP management of the DFL 500 NPG from the Internet e Select OK You can control the IP addresses from whi
135. ring your internal network e Completing the configuration Preparing to configure NAT Route mode Use NAT Route mode settings to gather the information that you need to customize NAT Route mode settings NAT Route mode settings Administrator password Netmask Netmask Manual Default Gateway Primary DNS Server Secondary DNS Server Internal interface External interface If your Internet Service Provider ISP supplies you with an IP address using DHCP DHCP no further information is required User name PPPoE Password If your ISP supplies you with an IP address using PPPoE record your PPPoE user name and password Web Server SMTP Server POPS Server Internal server settings IMAP Server ee ee FTP Server Do og ee O S To allow Internet access to a Web SMTP POP3 IMAP or FTP server installed on your internal network add the IP addresses of the servers above DHCP server settings Starting IP DFL 500 User Manual 15 Netmask DNS IP The DFL 500 NPG contains a DHCP server that you can configure to automatically set the addresses of the computers on your internal network Using the setup wizard From the web based manager you can use the setup wizard to create the initial configuration of your DFL 500 NPG To connect to the web based manager see Connecting to the web based manager Starting the
136. rmines in its sole discretion that it is not practical to replace the non conforming Software the price paid by the original licensee for the non conforming Software will be refunded by D Link provided that the non conforming Software and all copies thereof is first returned to D Link The license granted respecting any Software for which a refund is given automatically terminates What You Must Do For Warranty Service Registration is conducted via a link on our Web Site http www dlink com Each product purchased must be individually registered for warranty service within ninety 90 days after it is purchased and or licensed FAILURE TO PROPERLY TO REGISTER MAY AFFECT THE WARRANTY FOR THIS PRODUCT DFL 500 User Manual 119 Submitting A Claim Any claim under this limited warranty must be submitted in writing before the end of the Warranty Period to an Authorized D Link Service Office e The customer must submit as part of the claim a written description of the Hardware defect or Software nonconformance in sufficient detail to allow D Link to confirm the same e The original product owner must obtain a Return Material Authorization RMA number from the Authorized D Link Service Office and if requested provide written proof of purchase of the product such as a copy of the dated purchase invoice for the product before the warranty service is provided e After an RMA number is issued the defective product must be packaged securely
137. s or Protectorates US Military Installations addresses with an APO or FPO 1 Year Limited Hardware Warranty D Link warrants that the hardware portion of the D Link products described below Hardware will be free from material defects in workmanship and materials from the date of original retail purchase of the Hardware for the period set forth below applicable to the product type Warranty Period 1 Year Limited Warranty for the Product s is defined as follows e Hardware excluding power supplies and fans e Power Supplies and Fans One 1 Year e Spare parts and spare kits Ninety 90 days D Link s sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner Such repair or replacement will be rendered by D Link at an Authorized D Link Service Office The replacement Hardware need not be new or of an identical make model or part D Link may in its discretion replace the defective Hardware or any part thereof with any reconditioned product that D Link reasonably determines is substantially equivalent or superior in all material respects to the defective Hardware The Warranty Period shall extend for an additional ninety 90 days after any repaired or replaced Hardware is delivered If a material defect is incapable of correction or if D Link determines in its sole discretion that it is not practical to repair or replace the defective Hardware the price paid by the original purchas
138. seeeeeaeeeeeeeseaeeeaeeseaeeseaeeeaeesneeesneeesnaeeeeeeeneeeenas 76 Uploading an Exempt URL list ee ee cceesceeescceeeeeeeaaeeeaaeeseaeeseaeeeaaeseaaeeseaeeeaaeeeaaeeeeaeeeaaeseaaeeeaeeeaeeeeasenes 77 Logging and PROPOR acy ys ccccadsannscentaniincaceanpravascenietssasaenainnetnarnensaneeeeaentaarabs 78 Configuring Logging w2 ccsccdecerecstecceeeccereeseteceeveeestacdhbaedeicedeiaesetceseiaeseteeviesesteneeyedeniee sen NENEN 78 Recording logs on a remote COMPUTER eeecececeeeeeeeeeceeseeeeececseeeseaaesseaeeseaeeeaaessaaeseaeeseaeeeeaaeseaaeenaeeesas 78 Recording logs on a WebTrends server cesccceseceeneeceseeceaeeeeaeeeeneeceaeeeaeeeaeseaaeseaaeseaaeseaaeseaaeeeaaeeeaeeeeas 78 SBISCHING WMAL LO OG eens ET ASER E 79 Configuring alert emails n E EN 79 Configuring alert Oral eeeceeecceeeeceeeeceeeeeeeneeceaeeceaeeesaeeceaeeceaeeseaeeseaeeseaeeeeseeesaeeeeaeeseeeesaeeeeeeeseeeeeeeeeenees 80 Tesino alori omia zase esp ER S ES E R 80 Enabling alern email ensdrn NNE N S 80 PAITAUIT ES BUOY wiiainens inaescaccerecechasennisnadatciahmasaanniiieenddbintesiaaasaenuninananannusaanensbanenan 81 System StAtUS ei s E ENE NEE EE SENE ENE NN EEOSE 81 Upgrading the DFL 500 NPG firmware sosea aa E 82 Displaying the DFL 500 NPG Serial number 0 eee eee ceeeeeeeeeeeeeeeaeeeaaeceaaeceaeeeeaeeeeaeeseaeeseaeeeeaeeeeaeesaaeeeas 84 Backing UP SYSIGM SELIIGS i icccuceesectecacdessccvacdebacdepacdva E 84 FISSLOMING sytem sengs Hae sess sasctascieas
139. ser E 30 Addres SOS ac sicss sb icd dared su a a a E 30 Adding AddreSS S isi esecveties ee ctn cited ie lel lel selenide dvds lteeeenenniviteettieetiees 31 DEISTING ADGIESSES sicts2oibs roses sacdstenes RRA 31 Organizing addresses into address groups eceececeeeeeseeeceeeeeeeeeeeeeceaeeceaeeeseeeeeaeeseaeeseeeeeeeeeeeeeeeeeeeenees 32 SGIVICES E E E E teedvte send eevee eee teehee retest eiensadeesacevi ee E T 32 Predonned SEFVICES sissioni n vance uhachane ceva cdvnu ceva slag cevan sdsalevsatcesnacesadcenccdiaceeasdeeistetes 33 Providing ACCESS tO CUSTOM SEIVICES eceeeceentecenteceneeeeneeeeaeeeenaeceaeeeeaeeeeaeeceaeeseaeeeeaeeseaeeseaeeeeaeteaeessaeeesas 33 Grouping SOn Seia EEEE E tuted EN 33 SCHOUIGS cuiei ienien NEE AER EEEE ENE 34 Creating one time schedules eee eeeceeeeeeeeeeeeeeeeeseeeeaeeceaeeceaeeseaee sees caeeeaaeeseaeesaneeseeeeseeeseeeeseeeeeeeeeenees 34 Creating recurring SCNECUIES 20 2 cece ceceeeeceeecceeeeceeeeeeeaaeeeaaeeeeaeeeaaeeeaaeessaeeeaaeeeaaeeeaeeeeaaeeeaaeeeaeeeeeeeeeeeeeeaees 35 Adding a schedule t a Policy esis ccesniceiecceciecenseeedieceeietesbeteescceescectedesheceevseestecesteaesbeeeebisenbeaeeneegeeneneicy 35 WittUlal E E cette stan eareeneete EA O ee etre case per gece E N E ATE AA aes 35 Adding static NAT virtual IPS usneseni enaena aAa ANAA ENESENN AEAEE RAS 36 Using port forwarding virtual IPS eee ececeesseeeseeeeeeeeeaeeesaeeeaaeeeaaeeeaaeeeaaeeeaaeeeaaeeeaaeeeaeeesaaeesaaeea
140. setup wizard e Select Easy Setup Wizard the middle button in the upper right corner of the web based manager e Use the information that you gathered in NAT Route mode settings to fill in the wizard fields Select the Next button to step through the wizard pages e Confirm your configuration settings on the last wizard page and Select Finish and Close If you use the setup wizard to configure internal server settings the DFL 500 NPG adds port forwarding virtual IPs and firewall policies for each server that you configure For each server located on your internal network the DFL 500 NPG adds an Ext gt Int policy Reconnecting to the web based manager If you changed the IP address of the internal interface using the setup wizard you must reconnect to the web based manager using a new IP address Browse to https followed by the new IP address of the internal interface Otherwise you can reconnect to the web based manager by browsing to https 192 168 1 99 You have now completed the initial configuration of your DFL 500 NPG and you can proceed to connect the DFL 500 NPG to your network using the information in Connecting to your networks Using the command line interface As an alternative to the setup wizard you can configure the DFL 500 NPG using the command line interface CLI To connect to the CLI see Connecting to the command line interface CLI Configuring the DFL 500 NPG to run in NAT Route mode e Log into the CLI
141. special characters and_ The lt gt amp characters are not allowed Type the IP addresses of up to three trap receivers on your network that are configured to receive traps from your DFL 500 NPG Traps are only sent to the configured addresses 100 Glossary Connection A link between machines applications processes and so on that can be logical physical or both DNS Domain Name Service A service that converts symbolic node names to IP addresses Ethernet A local area network LAN architecture that uses a bus or star topology and supports data transfer rates of 10 Mbps Ethernet is one of the most widely implemented LAN standards A newer version of Ethernet called 100 Base T or Fast Ethernet supports data transfer rates of 100 Mbps And the newest version Gigabit Ethernet supports data rates of 1 gigabit 1 000 megabits per second External interface The DFL 500 interface that is connected to the Internet FTP File transfer Protocol An application and TCP IP protocol used to upload or download files Gateway A combination of hardware and software that links different networks Gateways between TCP IP networks for example can link different subnetworks HTTP Hyper Text Transfer Protocol The protocol used by the World Wide Web HTTP defines how messages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands HTTPS The SSL protocol for
142. ss of all computers connected directly to the internal network If you are using the DFL 500 NPG as the DHCP server for your internal network configure the computers on your internal network for DHCP When the DFL 500 NPG is connected make sure that it is functioning properly by connecting to the Internet from a computer on your internal network You should be able to connect to any Internet address Completing the configuration Use the information in this section to complete the initial configuration of the DFL 500 NPG Setting the date and time For effective scheduling and logging the DFL 500 NPG date and time should be accurate You can either manually set the DFL 500 NPG time or you can configure the DFL 500 NPG to automatically keep its time correct by synchronizing with a Network Time Protocol NTP server To set the DFL 500 NPG date and time see Setting system date and time DFL 500 User Manual 18 Transparent mode installation This chapter describes how to install your DFL 500 NPG in Transparent mode If you want to install the DFL 500 NPG in NAT Route mode see NAT Route mode installation This chapter includes e Preparing to configure Transparent mode e Using the setup wizard e Using the command line interface e Setting the date and time e Connecting to your network Preparing to configure Transparent mode Use Transparent mode settings to gather the information you need to customize Transparent mode settings
143. stination address and service port number For the packet to be connected through the DFL 500 NPG you must have added a policy that matches the packet s source address destination address and service The policy directs the action that the firewall should perform on the packet The action can be to allow the connection deny the connection require authentication before the connection is allowed or process the packet as an IPSec VPN packet You can enable and disable policies You can add schedules to policies so that the firewall can process connections differently depending on the time of day or the day of the week month or year You can also enable web content filtering for policies that control the HTTP service Use Int gt Ext policies to control how users on your internal network access the Internet You can use these policies to apply web content filtering to protect users on your internal network from downloading unwanted content from the Internet You can also use these policies to control IPSec VPN connections through the firewall Use Ext gt Int policies to control connections from the Internet to your internal network You can use these policies to apply web content filtering You can also use these policies to allow remote users to connect to your internal network using PPTP and L2TP VPN This chapter describes e NAT Route mode and Transparent mode e Adding NAT Route mode policies e Adding Transparent mode policies e Con
144. t file You can follow the URL with a space and then a 1 to enable or a zero 0 to disable the URL If you do not add this information to the text file the DFL 500 NPG automatically enables all URLs in the Exempt list when you upload the text file You can either create the Exempt URL list yourself or add a URL list created by a third party exempt or whitelist URL service All changes made to the Exempt URL list using the web based manager are lost when you upload a new list However you can download your current Exempt URL list add more URLs to it using a text editor and then upload the edited list to the DFL 500 NPG e Ina text editor create the list of URLs to exempt e Using the web based manager go to Web Filter gt Exempt URL e Select Upload URL Exempt List Exit e Enter the path and filename of your Exempt URL list text file or select Browse and locate the file e Select OK to upload the file to the DFL 500 NPG e Select Return to display the updated Exempt URL list Each page of the Exempt URL list displays 100 URLs e Use Page Down and Page Up E to navigate through the Exempt URL list e You can continue to maintain the Exempt URL list by making changes to the text file and uploading it again DFL 500 User Manual 77 Logging and reporting You can configure the DFL 500 NPG to record 3 types of logs e Traffic logs record all traffic that attempts to connect through the DFL 500 NPG e Event logs record management a
145. te and time see Setting system date and time Connecting to your network When you have completed the initial configuration you can connect the DFL 500 NPG between your internal network and the Internet There are two 10 100 BaseTX connectors on the DFL 500 NPG e Internal for connecting to your internal network e External for connecting to the Internet To connect the DFL 500 NPG e Connect the Internal interface to the hub or switch connected to your internal network e Connect the External interface to the Internet Connect to the public switch or router provided by your Internet Service Provider DFL 500 User Manual 21 DFL 500 network connections DFL 500 nobnen mp E Public Swllt or Fiowber DFL 500 User Manual 22 Firewall configuration By default the users on your internal network can connect through the DFL 500 NPG to the Internet The firewall blocks all other connections The firewall is configured with a default policy that matches any connection request received from the internal network and instructs the firewall to forward the connection to the Internet Default policy Schedule Service fiction Enable Contig 1 internal_All Exbennal_All Always ARTY ACCEPT F iG eP E Policies are instructions used by the firewall to decide what to do with a connection request When the firewall receives a connection request in the form of a packet it analyzes the packet to extract its source address de
146. ters SSH Secure shell A secure Telnet replacement that you can use to log into another computer over a network and run commands SSH provides strong secure authentication and secure communications over insecure channels Subnet A portion of a network that shares a common address component On TCP IP networks subnets are defined as all devices whose IP addresses have the same prefix For example all devices with IP addresses that start with 100 100 100 would be part of the same subnet Dividing a network into subnets is useful for both security and performance reasons IP networks are divided using a subnet mask Subnet Address The part of the IP address that identifies the subnetwork TCP Transmission Control Protocol One of the main protocols in TCP IP networks TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent UDP User Datagram Protocol A connectionless protocol that like TCP runs on top of IP networks Unlike TCP UDP provides very few error recovery services offering instead a direct way to send and receive datagrams over an IP network It is used primarily for broadcasting messages over a network DFL 500 User Manual 102 VPN Virtual Private Network A network that links private networks over the Internet VPNs use encryption and other security mechanisms to ensure that only authorized users can access the network and that data cannot be interce
147. teway at the opposite end Gateway of the tunnel Replay Select Replay Detecti IPSec repl ks See About replay detecti Detection elect Replay Detection to prevent IPSec replay attacks See About replay detection Encryption Select an algorithm from the list Make sure that you use the same algorithm at both ends of the Algorithm tunnel Encryption Key Required for encryption algorithms that include ESP DES or ESP 3DES For all DES encryption algorithms enter one hexadecimal number of up to 16 digits Use the same encryption key at both ends of the tunnel DFL 500 User Manual 59 Authentication For all 3DES encryption algorithms enter three hexadecimal numbers of up to 16 digits each Use the same encryption key at both ends of the tunnel Required for encryption algorithms that include MD5 or SHA1 authentication For MD5 authentication enter two hexadecimal numbers of 16 digits each Use the same authentication key at both ends of the tunnel Key For SHA1 authentication enter two hexadecimal numbers one of 16 digits and one of 20 digits Use the same authentication key at both ends of the tunnel Concentrator Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration See Adding a VPN concentrator Select OK to save the manual key VPN tunnel Adding a manual key VPN tunnel SRR ME pumite catrway cinceatrtur olan vitor WEN Tunnel Name Manual Tunnel Local SP
148. the banned word list Enable Banned Word must be selected at the top of the banned word list for web pages containing banned words to be blocked Clearing the banned word list e Goto Web Filter gt Content Block e Select Clear Banned Word List kea to remove all entries in the banned word list Changing the content block message To customize the message that users receive when the DFL 500 NPG blocks web content e Goto Web Filter gt Content Block e Select Edit Prompt to edit the content block message e Edit the text of the message You can include HTML code in the message e Select OK to save your changes The DFL 500 NPG will now display the message when content is blocked Backing up and restoring the banned word list You can back up the banned word list by downloading it to a text file on the management computer e Goto Web Filter gt Content Block DFL 500 User Manual 72 Select Backup Banned Word List E The DFL 500 NPG downloads the banned word list to a text file on the management computer You can specify a location to which to download the text file as well as a name for the text file You can make changes to the text file and upload it from your management computer to the DFL 500 NPG Each banned word or phrase must appear on a separate line in the text file Use ASCII and western language characters only All words are enabled by default You can optionally follow the word with a space and a 1 anoth
149. to a service group that includes the HTTP service Web filter For web filter content filtering to take effect you must configure web content filtering See Web content filtering You can select show settings to display the current web filter content filtering settings for the DFL 500 NPG e Select OK to add the policy The policy is added to the selected policy list e Arrange policies in the policy list so that they have the results that you expect See Configuring policy lists for more information DFL 500 User Manual 26 Adding a NAT Route Int gt Ext policy went EE Source internal Destination Eternal a Schedule hws wf Service yea Action SECEFT z Fe NAT Dynamic IP Poc M Fixed Port 5 j f Guaranteed Pree F Trafic Shaping Bandwidth D ikbytes sec Maximir b nm i z Bandwidth 0 ikiyta sac Trafic Priority High authentication Lier Groupi F Log Tafit F Web filter shoe settings ee ee Adding Transparent mode policies Add Transparent mode policies to control the network traffic that is allowed to pass through the firewall when you are running the it in Transparent mode e Go to Firewall gt Policy e Select a policy list tab e Select New to add a new policy You can also select Insert Policy before amp on a policy in the list to add the new policy above a specific policy e Configure the policy Select an address or address group that matches the source address of the packet Before you
150. to the web based manager Set the IP address of the computer with an ethernet connection to the static IP address 192 168 1 2 and a netmask of 255 255 255 0 DFL 500 User Manual 12 Using the crossover cable or the ethernet hub and cables connect the Internal interface of the DFL 500 NPG to the computer ethernet connection Start Internet Explorer and browse to the address https 192 168 1 99 The DFL 500 login appears Type admin in the Name field and select Login The Register Now window appears Use the information on this window to register your DFL 500 NPG Register your DFL 500 NPG so that D Link can contact you for firmware updates DFL 500 login Firewall Appice Deh D Link OFL 500 Yaeb Milter Lope re oe I amami ud Connecting to the command line interface CLI As an alternative to the web based manager you can install and configure the DFL 500 NPG using the CLI Configuration changes made with the CLI are effective immediately without the need to reset the firewall or interrupt service To connect to the DFL 500 CLI you need a computer with an available communications port the null modem cable included in your DFL 500 package terminal emulation software such as HyperTerminal for Windows The following procedure describes how to connect to the DFL 500 CLI using Windows HyperTerminal software You can use any terminal emulation program Connect the null modem cable to the DFL 500
151. tolKE key tunnel to specify the parameters used to create and maintain a VPN tunnel that has been started by a remote gateway configuration To add an AutolKE key VPN tunnel e Goto VPN gt IPSEC gt AutolKE Key e Select New to add a new AutolKE key VPN tunnel e Configure the AutolIKE key VPN tunnel Enter a name for the tunnel The name can contain numbers 0 9 uppercase and Tunnel Name lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Select a STATIC or a DIALUP remote gateway to associate with the VPN tunnel Select a static remote gateway if you are configuring IPSec redundancy See Configuring Remote Gateway IPSec redundancy If you select a static gateway you can select up to three remote gateways To decrease the number of remote gateways select the minus sign To increase the number of remote gateways select the plus sign Select up to three encryption and authentication algorithm combinations to propose for phase 2 Two are selected by default To decrease the number of combinations selected P2P l h f f gaa i select the minus sign To increase the number of combinations selected select the plus sign See About the P2 proposal Enable replay Select Enable replay detection to prevent IPSec replay attacks during phase 2 See About detection replay detection Sepa pla Select Enable perfect forward secrecy PFS to improve the security of phase 2 keys
152. transmitting private documents over the Internet using a Web browser Internal interface The DFL 500 interface that is connected to your internal private network Internet A collection of networks connected together that span the entire globe using the NFSNET as their backbone As a generic term it refers to any collection of interdependent networks ICMP Internet Control Message Protocol Part of the Internet Protocol IP that allows for the generation of error messages test packets and information messages relating to IP This is the protocol used by the ping function when sending ICMP Echo Requests to a network host IKE Internet Key Exchange A method of automatically exchanging authentication and encryption keys between two secure servers IMAP Internet Message Access Protocol An Internet email protocol that allows access to your email from any IMAP compatible browser With IMAP your mail resides on the server IP Internet Protocol The component of TCP IP that handles routing IP Address An identifier for a computer or device on a TCP IP network An IP address is a 32 bit numeric address written as four numbers separated by periods Each number can be zero to 255 L2TP Layer Two 2 Tunneling Protocol An extension to the PPTP protocol that enables ISPs to operate Virtual Private Networks VPNs L2TP merges PPTP from Microsoft and L2F from Cisco Systems To create an L2TP VPN your ISP s routers must support L2TP
153. tween which the schedule should be active Se Recurring schedules use the 24 hour clock e Select OK Adding a schedule to a policy After you have created schedules you can add them to policies to schedule when the policies are active You can add the new schedules to policies when you create the policy or you can edit existing policies and add a new schedule to them Arrange the policy in the policy list to have the effect that you expect For example to use a one time schedule to deny access to a policy add a policy that matches the policy to be denied in every way Choose the one time schedule that you added and set Action to DENY Then place the policy containing the one time schedule in the policy list above the policy to be denied Virtual IPs NAT mode security policies hide the addresses of more secure networks from less secure networks To allow connections from a less secure network to an address in a more secure network you must create an external address in the less secure network and map that address to a real address in the more secure network This association is called a virtual IP For example if the computer hosting your web server is located on your internal network it could have a private IP address such as 192 168 1 10 To get packets from the Internet to your web server you must DFL 500 User Manual 35 create an external address for the web server on the Internet You must then add a virtual IP to the firewall
154. u have configured Enabling alert email You can configure the DFL 500 NPG to send alert email in response to firewall or VPN events Use the following procedure to enable alert emails Go to Log amp Report gt Alert Mail gt Categories Select Enable Alert Email for Critical Firewall VPN events or violations to have the DFL 500 send an alert email when a critical firewall or VPN event occurs Critical firewall events include failed authentication attempts Critical VPN events include when replay detection detects a replay packet Replay detection can be configured for both manual key and AutolKE Key VPN tunnels Select Apply DFL 500 User Manual 80 Administration This chapter describes how to use the web based manager to administer and maintain the DFL 500 NPG contains the following sections System status Upgrading the DFL 500 NPG firmware Displaying the DFL 500 NPG serial number Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT Route mode Restarting the DFL 500 NPG Shutting down the DFL 500 NPG System status monitor Network configuration Configuring the internal interface Configuring the external interface Configuring the management interface Transparent mode Setting DNS server addresses Configuring routing Adding routing gateways Adding a default route Adding routes to the routing table Con
155. ure that the internal interface is connected to your internal network e To confirm that you can connect to the TFTP server from the DFL 500 NPG start the CLI and use the following command to ping the computer running the TFTP server For example if the TFTP server s IP address is 192 168 1 168 gt execute ping 192 168 1 168 DFL 500 User Manual 82 e Enter the following command to restart the DFL 500 NPG gt execute reboot As the DFL 500 NPG reboots messages similar to the following appear BIOS Version 2 2 Serial number FGT 502801021075 SDRAM Initialization Scanning PCI Bus Done Total RAM 256M Enabling Cache Done Allocating PCI Resources Done Zeroing IRQ Settings Done Enabling Interrupts Done Configuring L2 Cache Done Boot Up Boot Device Capacity 62592k Bytes Press Any Key To Download Boot Image e Quickly press any key to interrupt system startup The following message appears Enter TFTP Server Address 192 168 1 168 You only have 3 seconds to press any key If you do not press any key soon enough the DFL 500 reboots and you must log in and repeat the execute reboot command e Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188 e Type the address of the internal interface of the DFL 500 and press Enter The following message appears Enter File Name image out e Enter the firmware image file name and press Enter The TFTP
156. very IPSec packet to see if it has previously been received If packets arrive out of sequence the DFL 500 NPG discards them DFL 500 User Manual 58 The DFL 500 NPG sends an alert email when replay detection detects a replay packet To receive the alert email you must configure alert email and select Enable alert email for critical firewall VPN events or violations For information about alert email see Configuring alert email About perfect forward secrecy PFS Perfect forward secrecy PFS improves the security of a VPN tunnel by making sure that each key created during phase 2 is not related to the keys created during phase 1 or to other keys created during phase 2 PFS might reduce performance because it forces a new Diffie Hellman key exchange when the phase 2 tunnel starts and whenever the keylife ends and a new key must be generated As a result using PFS might cause minor delays during key generation If you do not enable PFS the VPN tunnel creates all phase 2 keys from a key created during phase 1 This method of creating keys is less processor intensive but also less secure If an unauthorized party gains access to the key created during phase 1 all the phase 2 encryption keys can be compromised Adding a manual key VPN tunnel Configure a manual key tunnel to create an IPSec VPN tunnel between the DFL 500 NPG and a remote IPSec VPN client or gateway that is also using manual key A manual key VPN tunnel consists of a name fo
157. virtual IP provides access from the Internet to a Web server on your internal network the external service port number would be 80 the HTTP port e In Map to IP enter the real IP address on the more secure network for example the IP address of a web server on your internal network e Set Map to Port to the port number to be added to packets when they are forwarded If you do not want to translate the port enter the same number as the External Service Port If you want to translate the port enter the port number to which to translate the destination port of the packets when they are forwarded by the firewall e Select the protocol to be used by the forwarded packets e Select OK to save the port forwarding virtual IP Adding policies with virtual IPs Use the following procedure to add a policy that uses a virtual IP to forward packets e Go to Firewall gt Policy gt Ext gt Int e Use the following information to configure the policy Select the source address from which users can access the server For example if you want to Source A add a policy that allows all users on the Internet to access a server set Source to External_All DFL 500 User Manual 38 Destination Select the virtual IP Schedule Select a schedule as required Service Select the service that matches the Map to Service that you selected for the port forwarding virtual IP Action Set action to ACCEPT to accept connections to the internal server You c
158. web pages replay detection about enabling IPSec manual key VPN tunnel reporting restarting restoring system settings to factory defaults RIP enabling server support route adding default adding to the routing table adding to the routing table Transparent mode Route mode policy routing adding routing gateways adding static routes configuring configuring the routing table enabling RIP server support DFL 500 User Manual 111 RIP routing gateway adding routing table adding a default route adding routes adding routes Transparent mode configuring S schedule applying to a policy creating one time creating recurring policy option script filter scripts removing from web pages security parameter index security policy mode serial number displaying service custom rou policy option pre defined user defined service group adding session clearing setup wizard starting shutting down SMTP SNMP configuring contact information first trap receiver IP address get community system location trap community source policy option squidGuard SSH SSL starting IP DHCP L2TP PPTP static IP MAC list static NAT virtual IP adding static NAT virtual IP static route adding status DFL 50 M I 0 User Manua 112 IPSec VPN tunnel viewing dialup connection status viewing VPN tunnel status subnet subnet address switching operating mode system configuration system date and time
159. y by choosing a user group in the User Group field Selecting a user group is optional For information about user groups see Configuring user groups e Add one or more AutolKE key VPN tunnels that include the remote gateway added in step 1 See Adding an AutoIKE key VPN tunnel e Add an incoming encrypt policy with External_All as the source address to allow all dialup users to access the VPN tunnel See Adding an encrypt policy Configuring a VPN concentrator for hub and spoke VPN A hub and spoke VPN consists of a VPN concentrator on a central DFL 500 NPG the hub and two or more VPN tunnels the spokes The spoke VPNs communicate with each other through the hub VPN concentrator To create a hub and spoke configuration you must create a VPN concentrator on the central DFL 500 NPG You must configure encrypt policies from each VPN spoke network to the VPN concentrator network and to the other VPN spoke networks This section describes e Configuring the VPN concentrator e Configuring the member VPNs DFL 500 User Manual 50 Configuring the VPN concentrator On the VPN concentrator network you must create one VPN tunnel for each of the prospective VPN concentrator members and then add these tunnels to a VPN concentrator You can add both AutolIKE and manual key VPN tunnels to a VPN concentrator Encrypt policies control the direction of traffic through the VPN concentrator You must create a separate encrypt policy for each VPN added
160. y or remote gateway PPTP or L2TP configuration To delete a user group e Go to User gt User Group e Select Delete iif beside the user group that you want to delete e Select OK DFL 500 User Manual 47 IPSec VPNs Using IPSec Virtual Private Networking VPN you can securely join two or more widely separated private networks or computers together through the Internet For example if you are away from home you can use a VPN to securely connect through your DFL 500 NPG to your home network If you tele commute you can securely connect from your home network through your DFL 500 NPG to your employer s private network The secure IPSec VPN tunnel makes it appear to all VPN users that they are on physically connected networks The VPN protects data passing through the tunnel by encrypting it to guarantee confidentiality In addition authentication guarantees that the data originated from the claimed sender and was not damaged or altered in transit IPSec is an Internet security standard for VPN and is supported by most VPN products DFL 500 IPSec VPNs support three VPN configurations e Auto Internet Key Exchange IKE key VPN e Manual Key Exchange VPN e Dialup VPN Both AutolIKE key and manual key configurations are used to connect remote clients or VPN gateways that have static IP addresses to a DFL 500 VPN gateway Dialup VPN uses an AutolKE key configuration that allows clients or remote gateways with dynamic IP addresses to conn
Download Pdf Manuals
Related Search